Analysis Overview
SHA256
55e25abc5fc0cf49010c437a6770f44fb9103bd0034e2cb0ee40e8115e5c5b49
Threat Level: Known bad
The file 2024-10-20_25254d694617c9f5e62baff92b13782c_virlock was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (78) files with added filename extension
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-20 16:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-20 16:54
Reported
2024-10-20 16:57
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\XgIUMksI\LKQAYwgU.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\XgIUMksI\LKQAYwgU.exe | N/A |
| N/A | N/A | C:\ProgramData\qysIIYgQ\vYwAEMQI.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HQQogcgs.exe = "C:\\ProgramData\\HAYQswgg\\HQQogcgs.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKQAYwgU.exe = "C:\\Users\\Admin\\XgIUMksI\\LKQAYwgU.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vYwAEMQI.exe = "C:\\ProgramData\\qysIIYgQ\\vYwAEMQI.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKQAYwgU.exe = "C:\\Users\\Admin\\XgIUMksI\\LKQAYwgU.exe" | C:\Users\Admin\XgIUMksI\LKQAYwgU.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vYwAEMQI.exe = "C:\\ProgramData\\qysIIYgQ\\vYwAEMQI.exe" | C:\ProgramData\qysIIYgQ\vYwAEMQI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcYAsskQ.exe = "C:\\Users\\Admin\\HYMAQIMw\\rcYAsskQ.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\XgIUMksI\LKQAYwgU.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\HYMAQIMw\rcYAsskQ.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\HYMAQIMw\rcYAsskQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\HAYQswgg\HQQogcgs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\XgIUMksI\LKQAYwgU.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe"
C:\Users\Admin\XgIUMksI\LKQAYwgU.exe
"C:\Users\Admin\XgIUMksI\LKQAYwgU.exe"
C:\ProgramData\qysIIYgQ\vYwAEMQI.exe
"C:\ProgramData\qysIIYgQ\vYwAEMQI.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgoUkcoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcUkAEgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XOAwIkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAUUYkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NooAsgYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEkAIYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\HYMAQIMw\rcYAsskQ.exe
"C:\Users\Admin\HYMAQIMw\rcYAsskQ.exe"
C:\ProgramData\HAYQswgg\HQQogcgs.exe
"C:\ProgramData\HAYQswgg\HQQogcgs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 36
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 36
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGcwUgQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmwIYwQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwQcAYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PicoEgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcQcIIkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\taUMgckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIkUAMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UogoYQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyYMEkAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkwAwMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwAsIMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISIQwcoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGoAQYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCIUogkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMwYAMUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqcokcAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ICQMsgUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YqYkUkYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUwUQkMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWgAAUos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FiEgckMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEwAowsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FisksEwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zCcsEsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\psscQgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQIEMYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OYkwAAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MqcYocss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCYwIsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UisgoMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tagAQAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwkYEYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "638628060-5542981371907355626-1142765711539390516-824665017-8530382831909486215"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rmAgcAwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcgIMwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\muIkUMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kuYkMQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eacAYMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kKEgMogw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-661942398-279840266-472532879-489248595-1865297868-63311586530113115-556766140"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1985729524-835445459-583205538-7274497641107066562-1372715323-425262637-1762804913"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwAsEcQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQcsQUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "229317199-747237888188057360915614972351892436273-96194482-2027453646494335188"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAIkEcYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQoAAwMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcMIMscs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ScEwUsEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKMIswkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wycQwUIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUYwYsIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwIgckcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwsQwsMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmQIUgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-749532492-947386950-174545656-1518367484-647701025135568929035494974758462570"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-820262158-1745684485-1855034909-929145391892604056766943529-394345176991057483"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUoowccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "658262839161046168817237084720421499283926416681909168957-965385430743622756"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WSMUkYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-125282166114830334331455330329650725426-549287470-14556298221641176251961942242"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1857535210-1770916297-9809181421365504188-54311677112717400351673427901249716846"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1490219884-875258364-92720273-1411040331424004457-5067858721515940139-516544776"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cKQUMcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.14:80 | google.com | tcp |
| GB | 172.217.169.14:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2892-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\XgIUMksI\LKQAYwgU.exe
| MD5 | 89dc5e58bd2d75ec434c4af218f2f1ce |
| SHA1 | 3c9e11287f036f474907312f34d2e9489d6f41f3 |
| SHA256 | 61a2b92ddeb231e1958a0d3dcb29508c90be485c053f4e31c58d3798ca52c6ad |
| SHA512 | 37920f1ea4ce75efdac0202d6a630cdf53b20217c8b99eea6d74c1087323be15b2eb1e2a0c05112bb9395772988c92d6f673e216ddbbd34d5cababaa55cdc60b |
memory/2892-4-0x0000000000360000-0x000000000037D000-memory.dmp
memory/2892-10-0x0000000000360000-0x000000000037D000-memory.dmp
\ProgramData\qysIIYgQ\vYwAEMQI.exe
| MD5 | d3d48ba633079d69ef8e4668666b7950 |
| SHA1 | 611f96561f227d347dd504b31a5c9882e6db3a2a |
| SHA256 | 77220af764eff39cc4e1eacfd858d889bf6ff084c29e3d8207c3ec3142cad302 |
| SHA512 | 602dd1bdc9d8d33b25229c1616cdf2437c29c0f727d7f9bbee135e533a1cce02269be629680071d73006d73b835c5f2a796153cfb7aae97d783d9e907e34da51 |
memory/2892-16-0x0000000000360000-0x000000000037D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sIgYIAsI.bat
| MD5 | 24709527baa6ae77c4472c05a59a7b09 |
| SHA1 | 52ffc0adb6e2dff3580ccff8873dac9ecb00d6c8 |
| SHA256 | 5dd3f44427e7fed597d9bc802a2dde06a950b9f2dbf2b6eb8c97649430d102ed |
| SHA512 | 9bd4cf1f820c25e6b1af074377b203ef8bd6387390147b9c5b2ea7ff1a8cdc0f4cd77612bc10cf031e1d04f0c05d4a28c768af6a4a3e83f1c8f2374e7408be07 |
memory/2612-32-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2828-31-0x0000000000160000-0x000000000018B000-memory.dmp
memory/2828-30-0x0000000000160000-0x000000000018B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xgoUkcoY.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2892-41-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\rkQUgccw.bat
| MD5 | c5cf9e788f1dc37cb9ad444ea7f9f687 |
| SHA1 | a8db1ab96e5d34185e2e0bf76a38f9d062a6014d |
| SHA256 | 649d5de9c6d667a11eb5fff34b6e1ad7838640028e75aa20367d4d17c710b637 |
| SHA512 | 48eac44ff9fae722cf7f282b90a7add93ef467474f76a4f37cb28e9d4fbf95d0d66f2c53065918dce93a68713559184050d56dc0183e24206d278a5ba0d0e395 |
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
| MD5 | 5861d4e6983be2b92122bcfb7d239eb5 |
| SHA1 | 892a1af54e23a9960f63eae6369c526ef325b77c |
| SHA256 | b3de971f88cdd8219cd9bf4a1212107b4052f468caac1f196d756ddf095acb48 |
| SHA512 | af3ce9a9c4a7be34e1d75bd9e25b483cfadc18e50cdb3229c5bc70bf965f6c478a707711154066c446f84ae5b6216917dd34935ee69772c305a00bc6d5040178 |
memory/2052-56-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2184-55-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2184-54-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2612-65-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rugkQAIg.bat
| MD5 | d87d60009527e249b2a6860a40361b6d |
| SHA1 | 518eb1bf011ebe50491cf7a10914efb6b16077c8 |
| SHA256 | b9ac048da91260baa2c4db3a53747f69ae24c9f0f577cc6fb25b411e0e4a420e |
| SHA512 | 367972852f0bb4dca11b849aa5505f0ffd1e870a6609477ccdac28f224d25f466adfbf102fc1c1281a97288b295a6c94aa10a6de797795a8c39a53383223da00 |
memory/2400-80-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2092-79-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2092-78-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2052-89-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VEIkcQIE.bat
| MD5 | e6511937c2bfc6068f1f446aafd4a24c |
| SHA1 | 736df30cebb322ab967cf7f55fe8387ed2f29433 |
| SHA256 | 28cbaf64e8bac2514642369c7f68b601adcef4cfe4d1a6fec141d0a37037a77e |
| SHA512 | d2cf06458318151b9166c4eaec0fe9781a545aa66219d9877440c8c2cd3d98d445dd480194e1b648db2f8a344e1925530e4fb99bfe96931d9f04e06e5f7b0d8e |
memory/1780-103-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3016-102-0x0000000000160000-0x000000000018B000-memory.dmp
memory/2400-112-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LkgAckcY.bat
| MD5 | 13d47d1a93ddeaf59a2c2bba837b5eba |
| SHA1 | 08df35ffb5d5696e3fcc4cabec3c253a37406609 |
| SHA256 | b8b265ede1e3d53bf2d4ea0c1741c79a8a1b3138fe4e617ef0ab86bcec9658fb |
| SHA512 | fdb66ea4a2bbdf84fca1e3f76665420e317c7caea3878cbbbeb4b8c41f67b5e017e42a26662e1cc9d1be7d9c1e2fb0b337b16389cdbdd82b89059b7264c742c8 |
memory/1376-126-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2160-125-0x0000000000120000-0x000000000014B000-memory.dmp
memory/1780-135-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ygEgsgMI.bat
| MD5 | ec51b51e52cc6be7b30e2ecf2def0998 |
| SHA1 | 094277e2025be59a632aa91f60d4c28f793b1995 |
| SHA256 | 422300d2ad82a1096b36e4f15e56ee11e23434d5ec0549c94c886fd3a2a42875 |
| SHA512 | 481e20396d76df479a3a4055b2ec9b50838fc1cb6927582ae03c602da64f24aa4144e2682bc980232a76cf2b532ea77b771a233a78bfbb08ae898c800b158f2c |
memory/2380-150-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1724-149-0x0000000000800000-0x000000000082B000-memory.dmp
memory/1724-148-0x0000000000800000-0x000000000082B000-memory.dmp
memory/1376-159-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2620-165-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2380-163-0x0000000000500000-0x000000000051D000-memory.dmp
memory/2380-166-0x0000000000500000-0x000000000051C000-memory.dmp
memory/2316-168-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2380-167-0x0000000000500000-0x000000000051C000-memory.dmp
memory/2380-164-0x0000000000500000-0x000000000051D000-memory.dmp
memory/2752-170-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2196-169-0x0000000002270000-0x000000000229B000-memory.dmp
memory/2380-176-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GSIgYUMw.bat
| MD5 | 42430189060ddcf510a954415a7722ab |
| SHA1 | eaf95c39fae442fc5e9b91de18b00f19dd230087 |
| SHA256 | 8b89741f98fa9f246796c25dca47ab756b74f23c13861521554c750a3869db58 |
| SHA512 | 9eb4adf9abe390143869d1005830c07413e2e038a5867c5c21a6fbb6ed24312bcbe3c0011b0b1dc7051822dbdfc55793fa2ee25e758d1e80176e35541f8f9d7b |
memory/332-190-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1656-189-0x0000000000120000-0x000000000014B000-memory.dmp
memory/1656-188-0x0000000000120000-0x000000000014B000-memory.dmp
memory/2752-199-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ScAcgMYY.bat
| MD5 | 4cac3e09c7f122acc0b56dff9a840701 |
| SHA1 | 7535330b22f6d70abc9a88e2488899e782823685 |
| SHA256 | 84d55f7aee3167946854fd18288097c3c56658146b59220400cecc6b6bdf2b0a |
| SHA512 | 654f299cf00159c317d89c1289b2ff678c5d3914b88d7a776d63853af17b3cc7f76f0008a34a6f1c73a90e7a31ea61472d8d882889fb8b13f3fa4c998dd1b8df |
memory/492-212-0x0000000000390000-0x00000000003BB000-memory.dmp
memory/3024-214-0x0000000000400000-0x000000000042B000-memory.dmp
memory/492-213-0x0000000000390000-0x00000000003BB000-memory.dmp
memory/332-223-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PoUoUwsA.bat
| MD5 | bbc15f2a80463a6cf2c815d6cc4e041a |
| SHA1 | 84e5074d97ddefc6006dbe3db5e6cd8994f32de4 |
| SHA256 | c0952a178996e2e6e9f66ca0b928ad260bc48e998385974e6f07a2c098409974 |
| SHA512 | d543ed45c2184a6a6ac0989d6a9bdf06ceb274bc6b31c537e9fc3f5e55712ca24f2473aafb624600447e8b913f1fb6401fb4c1b62626675e327846fd17409f49 |
memory/348-237-0x00000000001A0000-0x00000000001CB000-memory.dmp
memory/348-236-0x00000000001A0000-0x00000000001CB000-memory.dmp
memory/1048-238-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3024-247-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pCoYkcAA.bat
| MD5 | 74223af531a4164c6d6bcdcb8317307e |
| SHA1 | e825346982c14094bca2b32ca4020090d8f1e9da |
| SHA256 | e247ae9a2aac59cb614a5d1ae4598366bcb7780489e97ef0fc1e0bb258b9bc1b |
| SHA512 | 56eee6e74f9de32f6675c781565047891af60bcf8817d6479a6d384ea99ed27a6a55d456afa42fa964268286fb7f9151ade7939b13ef118fa9c7fc83b606593c |
memory/1040-261-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3064-260-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1048-270-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HmkksggA.bat
| MD5 | 2183f6e131c1b0f7bb718f5516f7075c |
| SHA1 | f0567fd2630d3bf52a268914501f4571d8e5c1ed |
| SHA256 | 9f2e96b724d3e8616d0546fa6c6693d0aec53475b626e4805c9f878aa287ce9a |
| SHA512 | 80022fb59651123b323a1d3a0e17712936dddc7c388bace43979befd753020af21206421185c500749f2231119a44fd4f3eb59bce6b42622df289ecb1affc31f |
memory/2696-283-0x0000000000160000-0x000000000018B000-memory.dmp
memory/1040-292-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lqcwwAcs.bat
| MD5 | 6c1d17260cede405b87e3e128fcd0b2c |
| SHA1 | cd71812eeb068d0bf36c1e44ce75b66f8a45f299 |
| SHA256 | fefac2a67140c776647d8a6e14803ac4dfce09b3e3cc13c19954bca704b63017 |
| SHA512 | 85e019efccd6148fff1a33ce23002ee27ac517709dd73036a0e9719b1daf12298b92f3b845f3582eaec189a78fe70947fc51f8ba4ec1d986ca3c158f31f2ed2b |
memory/2648-307-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2796-306-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2796-305-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2176-316-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xykkEkkU.bat
| MD5 | 6baa82ef74df362ee574ded6c89b26c8 |
| SHA1 | 0e09792281baf939a368d9f1303a18590cca683a |
| SHA256 | 95c245652a1c4214911fc0b073076cf53aeadeab8895ce014d41569b505de209 |
| SHA512 | 1c82d9c9c1bab529add18140096e97e6b4250aebcb3ba8666ae0c19762d08d87781908463b40792c2b977c7b865d1d94b850743d0ecf2cedc191646b9febba3c |
memory/2540-329-0x0000000000160000-0x000000000018B000-memory.dmp
memory/2756-331-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2540-330-0x0000000000160000-0x000000000018B000-memory.dmp
memory/2648-340-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mwMgYkMM.bat
| MD5 | 3dc6d1479e7aed44ec8675a3736f0280 |
| SHA1 | 443dd65d05a39bb9d25d3db1748ac780cc1f4085 |
| SHA256 | 5648d9be159ba380c34f3d104c45f5ca9b09e53810383cbeed1d267a2a035f3b |
| SHA512 | db246fae3370541bf317926207f70f3dc85c96b8094f69f0deb73cc4a118ac64f1f3f3732090f8f216bf45d41f36f44b0de25c4442ed9cb0b2d39d88e6f9df95 |
memory/1484-354-0x00000000001E0000-0x000000000020B000-memory.dmp
memory/1484-353-0x00000000001E0000-0x000000000020B000-memory.dmp
memory/2756-363-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QQYoQIcA.bat
| MD5 | 90bec941716b04a6dcca303e25f0f392 |
| SHA1 | 74bcc9429ce9088ab9d74008992d5af6cf35d3c2 |
| SHA256 | f595e41fa1f7c88aa2a56fb365374621c6fbd57b703546931c4c5e0bfce862ef |
| SHA512 | e3ad642763318231f65cc633db9e7248e1cdf66657c34597221a1e20b3cc09d1a1bbd52855f1a531302ce494d33407c5771b0b6ae624eca531b207b3ff3719f5 |
memory/2060-376-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1984-385-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ImowUkow.bat
| MD5 | 7bf89c6e08cbe99f036cf6196bb3720c |
| SHA1 | a992f64ed889fe74a9d08457cc274dcf4a2c955f |
| SHA256 | 8e0fc114a3d914983dab8dc9c225364184d4ff0292d169f8f8d0e41d67badd9b |
| SHA512 | 4ff67498853f4576098d60a2fddc1d570946aeb5a6758b608b3221b54e34e45b1f184d7060d0746d6aa2ad6e6e037b5dbd7bdd33c77c11c2e8fd628f8ae644d9 |
memory/344-398-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2060-407-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uWQAQIUk.bat
| MD5 | 5f3dce56958d6a3c722418af9ff70fa3 |
| SHA1 | ffa54be05a9a157160917feabe04ac4a95f38dce |
| SHA256 | 29f3282d61c7ebf3762526379816dd17906db8e4d48e24ffac5cf9257526836c |
| SHA512 | 24ab1f8846ccdbf9fb5b0ec24ed5347a8030569607b2942956813371d81f2e2a90aa0d855840ba6b49bfc010d4c4f20624af7fdd2c46c617ce3f330b0288881f |
memory/1512-422-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2576-421-0x00000000001F0000-0x000000000021B000-memory.dmp
memory/2576-420-0x00000000001F0000-0x000000000021B000-memory.dmp
memory/344-431-0x0000000000400000-0x000000000042B000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
C:\Users\Admin\AppData\Local\Temp\vEIwYkMg.bat
| MD5 | 39d2fb77e1627c0d2f203cd658d8213e |
| SHA1 | fe6adce1b2e72e9005d9324bb5bb508081adc650 |
| SHA256 | 1a4d5bd44576e6fe0da79a12d8d0440f4de6303ebd3db1fcc2ad318e4381aee8 |
| SHA512 | 39c29ededf077244ef0fe7a09fb8f12b1d54b10cb89e2a2775f69f44756bd489785cc990f3daadaefe3716fec9a0591d87f2d9942f958dc9ec97d7a911d69c4f |
memory/2216-445-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2216-446-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2900-447-0x0000000000400000-0x000000000042B000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
C:\Users\Admin\AppData\Local\Temp\oAYS.exe
| MD5 | 3be786610eb8b4e8054df598ba946775 |
| SHA1 | 2e22d86db1ac43f772afcecbcafb9fed8271d9ba |
| SHA256 | 1be07fad0898fd04681e61868c7fe2e0d448f29a1eb1c32967d08a4d59adfc2e |
| SHA512 | 113dc8e03a073c03da4b4beb130eccd60cf7bde843c2ef0dec882255fec698b38a55fb07df1f98b49c4c52e74e0c291e22b0c4911c0d31e58cbc1a618fc1c324 |
memory/1512-463-0x0000000000400000-0x000000000042B000-memory.dmp
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
C:\Users\Admin\AppData\Local\Temp\PcsYYwgw.bat
| MD5 | 6509429b131c3ab5e7a83d41bf3dd0a4 |
| SHA1 | 988fc1032c49013b856dd5867a43e0902df9d87e |
| SHA256 | 9e811fb7f13f81df71cacbcf5861b3ce326f484a5314dde1541d46fd496fda8b |
| SHA512 | 59bcf99f37036c1a3089397c01f2d2b62bfb74c6cbf2ff1fb08d10c0fa55fa8c0210210e4a3914d8ab3c9bed659d39c0674e40cac02b5eb16150f42db994cde3 |
C:\Users\Admin\AppData\Local\Temp\yAcE.exe
| MD5 | 05152f6e7a84795c25bbe88d19ef199c |
| SHA1 | 3c9af660fa3163aebb10e1f7274ed14ac554f762 |
| SHA256 | a6c891d38080117d724a79f0635930f868b49fd41c2b5384c4ad02a5e6361cef |
| SHA512 | b14a848a70ea3e1d734d64f18160d47a0119f2eb02d0905c4451be355b27d5e022b8deadac7cbe91f615ce9ae041fdf0b94819833e2a2a5e1b66d9e883328624 |
memory/2432-510-0x0000000002260000-0x000000000228B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GMcI.exe
| MD5 | 190c566cda5edb310ae2b28b4b6396cf |
| SHA1 | 2234dfe4634d3d744475c7bb26cdbceedbca9781 |
| SHA256 | 12ec2e304ea5e183e2449ebe8279af546e9041661a6f615e403b65a12cdc53f6 |
| SHA512 | 736c154e111b3cfb7c4952ee261f31438ff602b79b23d471fede8a7a5e9b1481536ebf11ac915ac24d02829eb81766dcd02a9a4e91672c3071dbf63c88a8e97b |
memory/708-513-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2432-512-0x0000000002260000-0x000000000228B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gQMQ.exe
| MD5 | 403b16bc6811bfdec657799723a35a76 |
| SHA1 | 61ea95b66f2f9332c5a47d0e8dffe06f2cda676c |
| SHA256 | e316db28521a8a66051d6acb1fb490cd167c325d34e12409dd004a9b36452995 |
| SHA512 | c33e8542c986e2be35f613e8d64d4531f284acb1d1508ee025e213dfd984506eb05de1d232fdfb51b2f8b7e11d0459be48cbe5534382a8f253c798d42f12e47a |
memory/2900-534-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ucUw.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\isAc.exe
| MD5 | a9c73bed0ab3fae8fd27cb4bd9340fa0 |
| SHA1 | 4ab853202d4a3446176bb5be036b39ce44a7b6df |
| SHA256 | 08985004dcc1978544f6b6e66c2cd9aaebc355f4a10caa1f7fe6b5f578f9d6d4 |
| SHA512 | d2422b465d4453c9229f54e0259999ef3ef9971f4592742c91b5f8b00e7584e896dcc32e9b296186ff1cdcf769b01c1114f76a5a6f776e9b9866a239b28db26b |
C:\Users\Admin\AppData\Local\Temp\CAMg.exe
| MD5 | d37b4c73ab944f56809ef263da11f7e1 |
| SHA1 | 73486112991ec385b9f8bca50f7f7065cf41cdfd |
| SHA256 | cb4dabcb64f7f89b1fb565cd741c18a3667c6ea4a639ad678908cdb12ceaf229 |
| SHA512 | 58a19fb44bc8de93976c2955d75a11abeef3486014fbeced03f544b70608bc767aabb221b870ce5a1896cc82f13a7408f9d155617868965e9772d4844d80eca7 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | 9f9370fc4e385899cfca72eb186b9d9e |
| SHA1 | cb7ed57577d4276be411bc83ef8b303d3a2e3c48 |
| SHA256 | 7f144670fee5f18e955a0ead4070b880e184aa069fff55480985e8422d307072 |
| SHA512 | 89b330cbc85cc147e38698e10154b1554dbca45de1eba619dd6e4f4a2508dd3b0f57fc98d0b3417747355c9017310a8084f9c0c311c5b415f9ebb6408220e5e6 |
C:\Users\Admin\AppData\Local\Temp\bCMAgocs.bat
| MD5 | 8a1a3bbf26fee8718736193fb5f2c748 |
| SHA1 | 88fff55b67366ba11c93e5bb87b592f428a33068 |
| SHA256 | cd265b00f1a23559c75eb0d8235a28c48d2d3ce56e57371bbcdc044728677204 |
| SHA512 | 482fdbb240126259bcdc3bc2f8f5dbf5739f03dea8c7ea6cebf96dd99a877a74b6e1abf6072f55e391ad3fc18552a1c011fe122cd94325c4eb5ba62b7d1ca3c5 |
memory/2616-596-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2684-595-0x0000000000120000-0x000000000014B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gIUk.exe
| MD5 | 7c624b4cd61713fcf0756bc59fe31610 |
| SHA1 | e44fe63249ba4c6209b5aa57a59576fe87884e94 |
| SHA256 | 2593c41f1561f31b8022466a92d06bd2532242d50f2a20766b3f7912ec4ae6e3 |
| SHA512 | 25c704f606ea46923cfcc880c251c13d3deae5ac5f944b232e4f3f810b39fd7d6a79dfe3ee313abb869b571a3b550bd3f498551214dad9c5aa5e2c49bcc0c0d3 |
memory/708-618-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UUka.exe
| MD5 | 28d39bd49abc60dd98728bec6d732caf |
| SHA1 | eeaeab667acdee891c3bf14abf37f7963b762583 |
| SHA256 | fafef0b51b3be83e95a62b2a5aba4f02c964782599d00c11889075f652d08227 |
| SHA512 | f026924458b09252b172948aa9d56f63e66ef1147dc6a2550412fb9dc8ce507b5987e452d8250cb4e76ac1cccb7e434e66ca3d8802a0b74c2c6af51edd70201e |
C:\Users\Admin\AppData\Local\Temp\cccM.exe
| MD5 | 7c8b4282a0afa87374932a275125a9f6 |
| SHA1 | 8d86f566f6aed7401daeacb871b8e7aa586151e9 |
| SHA256 | 545f3fe5ea369d2a78723e89363642fb678e606543af32c378236a10de1a5f18 |
| SHA512 | edc6699a372cc496923d9f6804f35a746e346701678d5e57a252a51e2c0a634911c16376407d59a7b0efcdf3101e619651d522ac50ccaf9c964645a2ca9efee3 |
C:\Users\Admin\AppData\Local\Temp\LeMIkQQg.bat
| MD5 | a70f7754c1f0f11a15d2f7b7709a6e70 |
| SHA1 | 2398d4bab03a052198907061c9e24239487cba98 |
| SHA256 | da954eee2601a5d944ff79d964fc9bb64864962a3fd5c43775926ec4609d760b |
| SHA512 | 7b049f96b917536e22f834bc2480cf58d19760b844442bca527b9151a2e6b83627cd2f955445eb66c6436819f918c84a11ef8500f994d6add0e87a64369d027b |
memory/2964-656-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2964-654-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mwks.exe
| MD5 | 0e9092da4b6923ceeea1974dacc49730 |
| SHA1 | d1f5228bf3070b35f19ce58e850447889574c517 |
| SHA256 | bf21df97ab59ff783e7ec710df71c1aa79769fed4d5a02ac50308d93c4c0786d |
| SHA512 | 1b2c05a91f0efce75b6e926bff3bff3062183a4dfbe1fa8c5e763c21567f54481d30c5f6f1c8892f52a1d644075c0533f8751e1260110a0416cc6f7293964215 |
memory/2616-677-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SkUS.exe
| MD5 | 5970770395494ada9f6f2981faa834a0 |
| SHA1 | a30d98ea4225b3027144446f14c32fd8fd711dec |
| SHA256 | dad3650d7e92a01058b85e592488f81c63c3c5bfe89a28a9a017718edfaa9039 |
| SHA512 | d23ec773ab16837f1e511102fc63e33bf10ef32ffea4ddcaceed98ec20211fdb8cbbc9d8ddfdf8cc6ff0aabef5bb14cb355e3a32d14718f5c888a41cbe52d692 |
C:\Users\Admin\AppData\Local\Temp\oEks.exe
| MD5 | 4fd41b332dea7444d2895fa6d70fe317 |
| SHA1 | 22addd9b1b173390a2edfcc11a3802c772b321d4 |
| SHA256 | 9ae5c7fa37072bf1da1fcbf937ec746344fa887dd891b969d37020873ca1d368 |
| SHA512 | 8ba58fd0647456baf966cee86deea02438697c38d60ca0fd072d68af8d61f2ba2d8812493671bb1de14a7368b3d1e52e9a3516780eda4c43aa6f8f4e25d2b089 |
C:\Users\Admin\AppData\Local\Temp\ascs.exe
| MD5 | 341eb144e7db487a87c64416292f3282 |
| SHA1 | 7a463b58a9ce71c88fdbe1f0ddb59cc0ab2b7480 |
| SHA256 | b7ea877d8db84b878c59894c7c58e763b88fff39ae86deb5520007f9a8f61391 |
| SHA512 | 2c2c55681962590d84d1c35d044a19c805319136e8e9bdbe19d15dc4c181fcba474e0fe3456216b59db97629bfe27e7a2902364ec1d3a37851f88bd9d5b71581 |
C:\Users\Admin\AppData\Local\Temp\uYQk.exe
| MD5 | 389f2481b7b8f53b82751965982f6d62 |
| SHA1 | fa5457b741213240a15ad5ee963aba7c6cf366b3 |
| SHA256 | 0240852982a56bb7c893f7258844369f6c04e55d686d70ef919b1d17db69daac |
| SHA512 | 5c8fff8ff3fbbb4247d4d9d9734d72b25bc7c5623599be2e87289c57c1f8d60fe435aa02aa041e4f4e1783d2ec0ce545824f519114caaed855a69c422270539e |
C:\Users\Admin\AppData\Local\Temp\uAUQUcEs.bat
| MD5 | 2fdd7149677a813abe3792d3ec2253d2 |
| SHA1 | 73314630b3c22707ff80530d73d97ed10db583ef |
| SHA256 | df4c127b731e6d4ec90868c34f66d3671eae5153d54eb94ea0618f5019d744af |
| SHA512 | 29b881e69f2b720cb1a7bc847c2961ab7617e28d76ce39c8c980046e1f2b3548ab8a0c084d7d06cb0d56b3a3c70d461d5e8f097daf196d98e22e28390d1ac492 |
C:\Users\Admin\AppData\Local\Temp\Kgwy.exe
| MD5 | 403e7d9e9c4abe3987984486d9182f5e |
| SHA1 | fcde6b82420fc8c22b0b0c282aac7fa2e59c7899 |
| SHA256 | 0e04a527f01901e607e0e16b4079ef1a8818955b2112f6a245edfb209b25ee11 |
| SHA512 | 61dfdfd6bf6fcbadd65f274f657c0afbd59278aa2d8263f4d12720de6ee4b4047b71454459bf9374a8e85eebeab284c4e55f71be51d8fb5aa2f77c7fda9e1721 |
memory/2276-766-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2860-765-0x0000000000180000-0x00000000001AB000-memory.dmp
memory/2860-764-0x0000000000180000-0x00000000001AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mEow.exe
| MD5 | 232f625a50a1ae22452ff5e93f897322 |
| SHA1 | 759a2ed0f43461579c2608e58e65cd94fea0f9a5 |
| SHA256 | b1a257096fe60ec91c91d579e17f41ffb397356787ccf761ed900dea2c5f4804 |
| SHA512 | f14167d6143b0df85d208333ea09fe18be7cafd1ec064d2d6d209d6e03770d0d32a28172a3ea0fc8409df7502ec5b2e2d0b45cd908fc4353cc603c1b2bc1c7ae |
memory/2924-784-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GIkG.exe
| MD5 | 689e5c1657c33672ba310f7fdbc07967 |
| SHA1 | 2e2b9bab1adf1296a57e84b078e82707e70a8bc8 |
| SHA256 | 0d4dc1d0d5c45b8fb29c546c2e9cf8fe00e5f5adc3701b38e29d0a64bc00adf2 |
| SHA512 | 6ea133646aa535f0cdfdb671f17649f522adaf2ea68499147fd1211cffac44284640be0da438710b71d2ffe345f4b7be620a8e2cc25ac0f26e036595049b8b58 |
C:\Users\Admin\AppData\Local\Temp\AYYg.exe
| MD5 | aaf47c47263cfc2976d7c3c51adde0b0 |
| SHA1 | 761f510ad210290292ecb8b0f20662f44d3cf00f |
| SHA256 | 16c78a686b15157f7afe17e5088fc82a93d51b3695c117b305e70d473fcabeb2 |
| SHA512 | 1989bed24ba096ab2e6e63a09652749eb81bca05312cc9eb1e35e074987bd43a252ec0fcbfb08ef68d9d94e78f790bd9c5f4538dc47c3c59b352b0ee51355863 |
C:\Users\Admin\AppData\Local\Temp\GsoO.exe
| MD5 | b38d7d893ccb97b107754a0741147d2b |
| SHA1 | 9c37185c714562ccad4a7944abe698f6352ca15e |
| SHA256 | e7c250c7c91293ff5ed330d3a212fce9c4d823d8344380acd1ca4143630c2ff4 |
| SHA512 | cb06773b2c3d5e26a5c1a96a999b8fd60836e864a923aea504c0d95a22ad2b03f2bc8f8aa841d479131b8ff6e1068ff6d3d623f75f2a61d3c8b404e2a12118d3 |
C:\Users\Admin\AppData\Local\Temp\sWYMgoUc.bat
| MD5 | 581d0c9e41a13da743398a6a542b5bc4 |
| SHA1 | 9d6724e7bd85aeb861fc5e2681dd3526c563da02 |
| SHA256 | a25e251b05e49b1c1ae99451de20a73866edcd8e93d07a2e32d69262c7238970 |
| SHA512 | 6a14032440868b7aa89b28de2d3e69c89956706bd168f8abe8b702c95957246b9363c74537e7605c01d7ade40a4d5dfa2678dc407b0df0388b30f4cb9bd915f2 |
C:\Users\Admin\AppData\Local\Temp\yckq.exe
| MD5 | 5315eed4e5b292dfc00ec39e7bf04cfd |
| SHA1 | 7844fa1bdf1ec72ddfac42ee6c796b729b92fa68 |
| SHA256 | 07fff6c2602fb601571b26aace99908d4b15c0cd15b5e067d4cf3a49f9cc560d |
| SHA512 | de3a7221da6cbd423ac4b5ff80a2ed77e43742ffdea5f658bbb6719b5eb001b486486080899c675427423ead52b2adebf330e12834e7daf87677ea2b30930691 |
memory/2720-852-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2740-851-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/2740-850-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/2276-874-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KMII.exe
| MD5 | 5e220f906ac35340bb9e7138978fd7af |
| SHA1 | fd40b937d8cdf9ba0ee83425a37ee0b9e1f2e48f |
| SHA256 | 5b61d4f14332c5ef28f58c096a5245824071972df452ab567ec9bfedc419218b |
| SHA512 | c2de91054413d6c7122dd49bce9b9e40b1c6827c6ced5f62787c2c37dc1694134f00b3fd00dd1bb93dcdedd0d82267a3445231c2c262c122f9e1f974297babd5 |
C:\Users\Admin\AppData\Local\Temp\UYgo.exe
| MD5 | a0fd0b8a56d332eb2e19b1ba6726d3f0 |
| SHA1 | 987437ad39f4772ade6609160d0c37de3198a5ba |
| SHA256 | 6a5be3c137234bfaa4afac9f663015393e18a709eef4e5af814eda5cfcd39f8e |
| SHA512 | 0d74914e0100fde77ef94ae9691fc649b2dcf78f594c3413bfc6a33db1f0fbed27e45157d2f62fef9fb9ac8eea5ca39b499e4ad307fba871e10a0a0088b35a28 |
C:\Users\Admin\AppData\Local\Temp\igAg.exe
| MD5 | c747833b74943cf01ef00b29adbefb32 |
| SHA1 | 7e937c16cc29ca1011f84dcc0bab7384aeaf680e |
| SHA256 | 7f0db7f321740709be523fed3424dbc871583a1a16195812cb203687b10a3fd1 |
| SHA512 | 554dde46b626a769e65f41cf0716e9391d6513108e07050b4bcbee302b006ca168225bbc32b1743d2235275dfd11d9fde8dad7ae0660a6eb0e6bba6e7652b982 |
C:\Users\Admin\AppData\Local\Temp\QMwg.exe
| MD5 | 50c36a0779136a3dddda84b700f4df1e |
| SHA1 | a2f125fe9176ad202297df63adaed078653a2442 |
| SHA256 | b10bf183d75a6c413feaf9214d003add32238edcc274b68e67fd2804bd9ee95e |
| SHA512 | 974b7e9ad67d98ab15919d35d7316c2da0268e063c4c8053d1ddee7fff10aaa8a902f694d36d806c2859cd5b5207cb1eaaeefb6c0d615e7c3e7a882f2dffdbcb |
C:\Users\Admin\AppData\Local\Temp\EgcW.exe
| MD5 | b3f6adb2ba2b06f09605b15ab54cb2ee |
| SHA1 | e6313d2611885429ec3a135cd1fd25382536ff70 |
| SHA256 | 294be28ab5d1d68fb7582edc0437cff03b3880c1b906e153cb552b7382f67a08 |
| SHA512 | d8566303a4082271bb1b2e92b3ed6ae15c4c7e00f63e37abad15aa5c5e3c1b112ab78d92d2395015593aef6bfddf79102fed671b20cc37ed0a40bd86d41307f2 |
C:\Users\Admin\AppData\Local\Temp\mQkoUcwE.bat
| MD5 | e76eeecdb292a06dba7e9706867fda03 |
| SHA1 | e3c7683863d83411785de19bfb9dba099b1419b2 |
| SHA256 | cbf87ffadffafc4a4c312df054948c125009ebc61566dcb0249796e6ce20e6d2 |
| SHA512 | 3ee554404c5bfc768f54864a77ba11a2540e1501ecd1293a069ebf61575c7a460b7643e18aed6bfd7766b9bbd219112f30ebb920fe3594b7eddc5aedfc095cea |
memory/1160-950-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gggk.exe
| MD5 | 6705f3cd133a0cdab919ea0a5d50c6c5 |
| SHA1 | 8ec9dbc19eda7ac11ef45751f073e9cb596be103 |
| SHA256 | 5cfd64340a3cab7177bce48ecc4fb023e598ccd46898a1e3043ff4fbdda3b8cc |
| SHA512 | 977c2f4d5066f35ce9f481bbd87b320d374dcfe003ddfaf13a5943596658f1c9b0731efa2040f26ef372d488f38e011a4f7c2f66af2fb78cbf3355e3b477d910 |
memory/2452-940-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qYMS.exe
| MD5 | 6f738463d7f0e3eda2b9774923c68e43 |
| SHA1 | 684038db05fb3c69566ee4bc540c97636e267605 |
| SHA256 | 0cd8a72047cb6871882dfc0106452d5dcdda1a7056d47d08e5269fa96723479d |
| SHA512 | 277b6f0a2b2d7e7ddf5a47e9497452755354df74f9976053d0646f528d05d71d5973dae0552ab9b1d09c058b26dd9de8e2c3b0631c3a7861773ab748a8d302ff |
memory/2720-959-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QIAw.exe
| MD5 | 71eb2d47830e2f04dbc41bfde8ede95e |
| SHA1 | 2a52df3f75744bdd9fecc69bebe9bcad86e4385d |
| SHA256 | c7e74f9d53c66ca0d94172f99a64452d6f33ae09f053c22debda28416ab66922 |
| SHA512 | 27584ce1f467b90563015ea1da21bfe073536bdc2fa46a232b15af518fe5d49c19d31b860d6691d39790489a8ffee7d0b012770d1b35a7bd943a44cf33e8d102 |
C:\Users\Admin\AppData\Local\Temp\IQgk.exe
| MD5 | c0111e7fe7de9cc55eff7d6a9959cc86 |
| SHA1 | 7f06c69e024a8256725f91a39d7183e4e91cfd50 |
| SHA256 | ffc6b330ff6b8c2d207e744f882211f0c0fd364f8aa828592c54184281f4a2c6 |
| SHA512 | a48d3e189c9de4e88542a8d86b60b55be9ba047e0618e8bcc0915eb34f9dec6c205943c72f6dc1228e0135d5a32d54190c0fd60a4bd7cbb69c2e67ee9718ab92 |
C:\Users\Admin\AppData\Local\Temp\MAoscswg.bat
| MD5 | 6b20295a82eb05b4d849582c7cbad37a |
| SHA1 | bbc4e98a756a2672d737ceac8071e21e2102887f |
| SHA256 | 3976c7a4306ab421f3264f409a26cdd091ddb5acfeb55f039055ecd57ed3c879 |
| SHA512 | b0eb441b4ffcddd2cdfacaaf7d887911c5a1c9683a81a6106174443595f3caa14f95e59cba565e34a214575a053ad1260bd0a5290883ab6e02a23d5ae65d7fea |
C:\Users\Admin\AppData\Local\Temp\eMME.exe
| MD5 | 2c7f4d203340c839bef2e2aa7ae04c65 |
| SHA1 | f06a00331603704dd22b6aa6bce45655c33c3edc |
| SHA256 | 8b1c6c46d7be2df94158553601a6e21d0c1d695defadc00d47d4aa84248296fc |
| SHA512 | ab26bbdc4b96f58797d115373cef6de51d4b04ae3f6db2c38492c15e268921de30e8a9bfffe3864321724e21677e436106bf42491d5028afd03b8f49158d86b0 |
C:\Users\Admin\AppData\Local\Temp\Cwwc.exe
| MD5 | c733103b6748d4a25f214df3121fecc8 |
| SHA1 | 3e5196559decaf16259f9f28826eae380ddadb96 |
| SHA256 | 1d649ffcbfac7b339b9c1b7ee61c36dd1dde4d0ecdc1afe217eb9b7fe469671b |
| SHA512 | 28ae2ce6f3cff073b51c5d22f346e68a8c2da7af2aa0938a630e296e04f36fe6e2d12fd9704d01b03f30f4fe23d7f4dbd391659a016af0260974582863377bd1 |
C:\Users\Admin\AppData\Local\Temp\iocO.exe
| MD5 | c56b1b9801c9efcbbf304d69bdb59a3f |
| SHA1 | a0838a503b48c9c0478fe8470d41e4dbd00dbf8a |
| SHA256 | a8fd1587a10c602cc04e2614e9f9d472dce0c4d5700bdb42907a1021e1a4add5 |
| SHA512 | 369e363e6ecb6219e148c3f1248123d0742799e807660d2aa5f3fce3b64684a4395bef64a797d6b658df1ac6e3045255544a08b67482fd09ff30644033b84205 |
C:\Users\Admin\AppData\Local\Temp\ksok.exe
| MD5 | a52a229d7c39b905a88ff68ebaf9c7c2 |
| SHA1 | cdcf19bf8d0bc2ad9dbd46f0c2062377944ea2b4 |
| SHA256 | e7f9b54e69557ab8218ef07a545685db818ee133ad15744313ef532b2ed3fec3 |
| SHA512 | a97b54cb708408b2ed219e0b8d32bf87fc525d4ebffaefcbb3dc63b3e970bc343865e9d08eab4e6db46a292700c570b78a603f83e1e303844732060a0234831c |
C:\Users\Admin\AppData\Local\Temp\isge.exe
| MD5 | 5616d71782d6962b947efcfff19ba7a6 |
| SHA1 | 868ebe850d6df4a0c2c7aaed21da48fedebcfb19 |
| SHA256 | 2a4d224ca4b5332984ffc5569e1f78916de6526567283299f5197d2da294cff9 |
| SHA512 | 0588d931686b486cad7c698e64b7fe66cc7d31730e14453a97a7e978f8df517ace7fcc06a89070d637fbfb9ea34f09790373ea11c2c18aaf62e0f2e392aa1425 |
C:\Users\Admin\AppData\Local\Temp\eQks.exe
| MD5 | c32ad93d375aa2736273dafca93dbe2d |
| SHA1 | ea665fc5c2ede052b07b47cdc76a5f4e9501199f |
| SHA256 | 250a854bcda2dd7ca9b313cc41fc2518b38e4d49979fa0b8f76049b688d62790 |
| SHA512 | bb059571778c0aa71914a5aa4bc5171cd5bf06f8e01c7cc6c7ec3406d221a5e0d92227e4a3c9d0434649bf6d988e43fb0feefaf9fc68dc0d26e8456c5a533d51 |
C:\Users\Admin\AppData\Local\Temp\WywgMgAw.bat
| MD5 | 06a2b73051b0a251f8f53baabbfbc07f |
| SHA1 | 46a0b7e234b07d84c6571b85a309a7d1ee0e8c80 |
| SHA256 | 12bb6cece4035ad4b58addbefa4b4e510b144bdc0131ab33cd2b9f52bedd8aa5 |
| SHA512 | 4b83d648d16a3c523f0c75f838064e71881c4eb99a55266f0134f0aaa9f5c9ea5e2e40826637547e55f489c5ad4d7e5194d4c7fccc0b1d22325ce8762231d818 |
C:\Users\Admin\AppData\Local\Temp\kAgq.exe
| MD5 | b6ae5cbdc56e9191151d1ad9e4ec389a |
| SHA1 | d4ca7c0c101a44165f5bcb183e6099074342329e |
| SHA256 | 4bdeefc49d6ffd690dc34ab3a07b5c79a4a7bfcfd147192bd226f1d229c8d007 |
| SHA512 | c2d4033ad93fef298e2699b32f9dd9dd5a7c3d949a9fbcae7ccaf2dc17549fff0f02e0d8965c0adb00efce95acd1ac5168e013397bde77b0a879c44dd3d41344 |
C:\Users\Admin\AppData\Local\Temp\QQgu.exe
| MD5 | c9253f8b5a0c8cd4b65fc4f1017a226e |
| SHA1 | 8c40ccc6ef0fe6b6b6d378b94b1ebb4d5aded22d |
| SHA256 | 364c2c5bc94de4e51be882a8f8d684ec8728497b3d7791d9b72936832faf777d |
| SHA512 | e439c1d0f56e60a9cd3c60c996dcae30dab4cd022989d039b710296129e9a6dc9df6b14fd185b7a8b15f6f87b59b469262920738c9ee60ba6794ffacd656401b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe
| MD5 | d8038ecb10c140ef8092a2e6e3402edd |
| SHA1 | 58d405f954f76ff11fed207b40a2455af5263e6f |
| SHA256 | 3c91f410970a74e38637269eba6b206198629ccd712c533f113ea12373af8a9f |
| SHA512 | e037dcc58559ab107922c8cbdf5fb0b5630c29a145079611b28ad331a4ed60f64597af5654cfde5312f0e1169a62f624a40ee1cf23775d1e7eeaeae8e74a04b7 |
C:\Users\Admin\AppData\Local\Temp\FgoUkwwU.bat
| MD5 | 327e0b1731167036bcdc0c1f5335953d |
| SHA1 | 83747aa29584f89c1bbb30afd08d8010e7cc64a0 |
| SHA256 | 5055f57c2295bd80f73fb90c127ddaca1e236b2a55ea21d8e8c06a2c0d021ab0 |
| SHA512 | 34096982ac0e80efe58c61cd03dfab7a5eb4ae93bb6219ed52ba743050a1bc488fa5a3df6dd25bbcb7c68ec588d7b7ab05c576edfd79a42f33a949af4b08276a |
C:\Users\Admin\AppData\Local\Temp\AQsG.exe
| MD5 | d7a98c353eba6db073b1e20b35f979cb |
| SHA1 | 4665d8340c853876e51abeda6bb9a80c4f12f217 |
| SHA256 | 3473d469b45163fe6581f9258b8611b7a33dacdf0b9375104a7dcd6645e6fb01 |
| SHA512 | c273cf68aadf489bb58d324d7c071a22cbe65ac554e7dd3eb4e7ee7440105f0bf63915c76a7a09c2e993e4d42ef111e3f84cc3f7c9ea85f4e4cd10dbb8cfdcbe |
C:\Users\Admin\AppData\Local\Temp\QkIc.exe
| MD5 | e16c939cdb8a232242a8decb4602b96b |
| SHA1 | 5cd3b85a9cfcf5a1531af4ef7758c75bd9fe440f |
| SHA256 | 9d04c3cd5019dca95ca655bfaca9de2cabc7f25533bb9f6c3b4e8559a294fcd9 |
| SHA512 | bb8bebe52bd618c76a01d4e139e96e994cbcf850c17a6d3e90cc061a1ee9166e4c8b6c0ca0950362fd282237a90d120e80bb5d7aa489680eff4250aa512b843c |
C:\Users\Admin\AppData\Local\Temp\OksY.exe
| MD5 | f199bff9ab4db4beae96e7183d830c6a |
| SHA1 | 43e28074907994420e35f14bdd0e468523ebbc70 |
| SHA256 | 0ab3dcf1550fff82e86816d4636d59c59a7d1373f5c5c21df140304477c3be1a |
| SHA512 | fb8c966ce29ed8efb9faaa371e3164bd0960f35a04b5d2fb73f679bc8e849b70cab3a3fab890b339599dbba7c7aaa9a4b4f3b1c1836cc2c328694586bd62c509 |
C:\Users\Admin\AppData\Local\Temp\cgoG.exe
| MD5 | 9b1fcbf5dd6206a4dd9341061f43d542 |
| SHA1 | 71a17cff633272c2fe1b14fafbd6604070e3bb22 |
| SHA256 | 65c1e8a9bccadfaedb1f90a374cfb7f6c98985590dc203395a5768fd87ad6f96 |
| SHA512 | 33a24d113c1eca6b3971a01a5f25ec0c74004cd9e122301a1351eb7457a9e18bbeb1658f6ae63b9a5f265f887bbbbb28d5c646838aa4e6eb5de73eaccaa80b04 |
C:\Users\Admin\AppData\Local\Temp\yUca.exe
| MD5 | 4c8979499098ab58571a04bd8765903f |
| SHA1 | 03e9543e361bc7c0cebf98fbf09a394db52c7be9 |
| SHA256 | b6e1b57f8c105999653bacffcd2036a55beca8a130ae6fcdf2dc40aa6903c4ee |
| SHA512 | 59e9f3cc85d4632b7cfa149a0d88b15bddb59ca9e8c4ba77636c116eb6607e689eb2148c54426dae0c16f3bbfd6ecf4123c9b874006097d031bcdfba69fe3cb7 |
C:\Users\Admin\AppData\Local\Temp\kEYc.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | 0f75a39b4a4490157ecbf7c541f5a285 |
| SHA1 | 6d0cfff1e8df0dfdb7d3fc0f90c040355e926d8c |
| SHA256 | d5e34091e4155a27c635dc3205e7923c5deb88a5209fbb1deb0cdc4e5288b1ba |
| SHA512 | 216ad2f567e16856731c13fe422ef8dc988b8d2f3c6aee6ce803d36a523af455411e13a1b0a26e50e74d1761c52c2ef3c999d00774d724583e7b0b30a63950d5 |
C:\Users\Admin\AppData\Local\Temp\ZYsggEkY.bat
| MD5 | 0e2c27cb093f311360c47543a8a454f6 |
| SHA1 | 02885e70dfd38e52eae3766fb197cbe08c0b164a |
| SHA256 | 02a3a19c91259d45ab32d698a9fc456d779570fe065fe2dbffaee4165e70a813 |
| SHA512 | 844d729f96b882c6658ee8e3d8a4d365bc49ef485b1de2e8d6f8fd16d9bc66a8cee7076c9708623d3223afb2a24c843c22370ee98cb945e71e371a2174fc96d2 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | 07bb08e4da5b1aa1d294acd6d434e822 |
| SHA1 | 8c4d3add31da4ce4d6ce85b8f7173c998b9a39ef |
| SHA256 | 1433497fbf67f3068922b1143ca4a5ff7463e2c2abebbee31a9a29cb9c7906d1 |
| SHA512 | f75ab3dff4a1f444ad35ecf61b3779f03cd36edc4468cfd38b2f77c6aafac0c18481ac40d20768c206f4bc5b1cbcada0e0d8ff83df3ada9c85cabba0dc95ffe8 |
C:\Users\Admin\AppData\Local\Temp\QUMa.exe
| MD5 | 2c9b5b5c78b3ddf9b7ade3de435c1b59 |
| SHA1 | f9bcb8039a485f58810ae3467b4afcab21353213 |
| SHA256 | 510397c12199d8fc9c6651a96ff61f9f65f7d219502b0be45a9456b32ce46f8f |
| SHA512 | 524ac21b4f846d334599d08405315a712e7a0e392a160646844b049830a8365dba80187769fddc1e52d44ae97f0fd65e05f5ec504e3f0bbef09302dfcd9f3090 |
C:\Users\Admin\AppData\Local\Temp\oIQW.exe
| MD5 | d69b1620e095aa1e62b8c155ea3dc6fa |
| SHA1 | 1d1a04c6e9cf77c41a7e63c95930a266a86559dc |
| SHA256 | 54e9d0bad6ebdacaf63f82f585291dc5e84243eda62eb71b238664390486e809 |
| SHA512 | 6b068b97350208558379bea48f0244f9795179092d7006a3cdff129941d8eed068a2f06650e2fd907e61ef1c7e91596cc76a129a33930c566a9f9048e38aa3ab |
C:\Users\Admin\AppData\Local\Temp\GgsM.exe
| MD5 | 9207d257f7743f0137b97f0e61b3c1c3 |
| SHA1 | f2b08628e87c52b7e220588b4e7e03a9c998538d |
| SHA256 | 2d2b08c9889f7726a8a2c6784cb5d59a9a9a2343cf16695ac59e83850356c6c4 |
| SHA512 | 6ca78e9fd3b06ba66412eac2d7866b079ae00b883a9a528908b014712757f5cff930977de1bbc12de8d7dcf5c86fac270c947762261456fb61abc0b9e2a20813 |
C:\Users\Admin\AppData\Local\Temp\mYAs.exe
| MD5 | d514da10af0dcb614058de85fb9bbe7f |
| SHA1 | 95fcf02b0f4d8a04307b038371e7b82b604a89d1 |
| SHA256 | ef3f1b0a8cf28a6f5fd37f1f1f735d5d57eca6a83dc3de81a7467b5ca19cc99d |
| SHA512 | d43bf56d477f9733fb72ea5db1426e66a7546c418e0b04e8a21b317e549165662b0a115fd2f703ac0acd5db3ce4246366085a73265ef03cfe97205fc3bca2ae7 |
C:\Users\Admin\AppData\Local\Temp\vAkUkUsc.bat
| MD5 | 2b5643693ece9117fabe07fe93fb96a8 |
| SHA1 | d815a95db41806f00782eb53de83960c50a0f3a9 |
| SHA256 | 5849cc463c22ddea0e416d4510c21cc88dffbe0bf574ae7f62a66bc1b242c585 |
| SHA512 | f2f3fd411030f205276e8a0c76378a1e92cc7228545cea32eb003a91f70a490fa9e85e76fd87752d958f86a8966f48c7e1e4d6195125c6cabc09cd8158891135 |
C:\Users\Admin\AppData\Local\Temp\ioMk.exe
| MD5 | 00b403e64b3e63d45a3e93348fe9f6af |
| SHA1 | 807f2ee27191d6745aa73f967cca8992c90974d0 |
| SHA256 | 89e995ee171da57046ae2d294bec027ab100cb951abe25adae7c6af5b01a9603 |
| SHA512 | d891a26308ef45d52a9c9b5492f8805a4c2064d826810a8232667b43fddd3254c0edb1e32a952fc6ca34b3621bfcd8d753bfefa3e6e63baac55e9428214bb0aa |
C:\Users\Admin\AppData\Local\Temp\oQco.exe
| MD5 | 7d309110105c8ee8a8f5058025bf3ce2 |
| SHA1 | f7d45b6051c04bba97b888daca0c3cf9486a02cc |
| SHA256 | 9d1296afd0b6306cfb687506cba821608cd83afa0ed26711e8972c49bb1a6ed7 |
| SHA512 | 17bff045b79ad0fc6ac0de1700eb27df3b149bda10a5b4e094c6f5b99a1e4cf8a99fac4bc24f3a3ad4bb6862ce3f3bb94c3baf4581af9bec4e9beb60158f14c4 |
C:\Users\Admin\AppData\Local\Temp\moEc.exe
| MD5 | c8ffbfb9e824d59cf12494d02b412ded |
| SHA1 | ec7b3e102d5a8b27ee5f203e2f756b75dc97e965 |
| SHA256 | 56ded647833424455874c1998207612ce54fff43ab9b7064c963ade8c5b395f4 |
| SHA512 | e48fa9f09098b4aea5cb5789f87b1f14545da0fc5dcc8d55bb9578b944c10375559816779c9c6205cb755f85bd1e5dcf3d3d0c9b49e530573d6a2293de649fe8 |
C:\Users\Admin\AppData\Local\Temp\nUgAIkcc.bat
| MD5 | 8311a771b1d54197bd0089a72a2a2263 |
| SHA1 | b6febd105ab898426fc7684233744d1a80b99802 |
| SHA256 | 0d3b666f07ed1fcfe2bbc72bbe0e0c0f2c69c0229ed75744a31a9981859f45f4 |
| SHA512 | ccae7db1e8d73126c9800daef5f80dd8e434357a493b15419476924be42fade8d8580870287f014410d3b531602b93a9332ef50d3ff01dcdd3f3772956c103cf |
C:\Users\Admin\AppData\Local\Temp\WoIu.exe
| MD5 | 3320bbc71d9f1434a427977b7df8e449 |
| SHA1 | e65a8b8358e312e0a8167d457c01d3f5249efdf3 |
| SHA256 | 1315f83ab0d64d4f75b71b8c7f0a338d395b6d42d298772e87cb84ad5bf96eeb |
| SHA512 | 5fea5be8aec167bbcb2effa45f4874a590504987f3eda9d8c4b24bea3ef49def0d770b394fa7c5b06c0a91256511bca6db810676356fc2b4b1b70f7649ac8a17 |
C:\Users\Admin\AppData\Local\Temp\iMAc.ico
| MD5 | 0e6408f4ba9fb33f0506d55e083428c7 |
| SHA1 | 48f17bb29dcd3b6855bf37e946ffad862ee39053 |
| SHA256 | fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67 |
| SHA512 | e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914 |
C:\Users\Admin\AppData\Local\Temp\qkIY.exe
| MD5 | 33d934988717561891d8739561fb8f43 |
| SHA1 | a428176665541d074ce01f72c9e374c078144cf6 |
| SHA256 | f53738714627951aaa632f647cd46201ae2369c9e545e1308b99c4862722a2ae |
| SHA512 | 21baf8096c411565e91a7e7f2e22839e360b3f61f5d57d6984727e3fe708f56c9623e6ab80bcf1c4b9253c8b6186288934596344971a10f02eba7c80372790cc |
C:\Users\Admin\AppData\Local\Temp\wgQm.exe
| MD5 | d14fd90885f491cc6a99486216f43b05 |
| SHA1 | 95155ff750d08b661ce52899f30407d2e36a11ca |
| SHA256 | 91e5a2ba2be3ebf45e5d4a44aac16988487d83fc84f34a51813f4e23e0c63812 |
| SHA512 | 2f9879722bb4898ab4bfc859501b199fcaa6ab8bac10386fd6d49f473631942620b66ca59c63257c62720b81cc4eb13231598e30747212f150771e779819ff07 |
C:\Users\Admin\AppData\Local\Temp\wkkswowE.bat
| MD5 | 94d86e828c1c55059dd38a49bda52030 |
| SHA1 | 0400f0cb62cf33ba220efb478f76a6877995235a |
| SHA256 | f9ccb4dea06ca681db531336a34086bb298e070b146531c01fb8c3004b6d20bc |
| SHA512 | 740874fd202e34c5a59cf960b43ccb2e2ca67e4e7d1e992761d99323e3a5f5de6f60691dc73664aa2c68362ad98a859f9f231c211ac82897c748f0b790921955 |
C:\Users\Admin\AppData\Local\Temp\aMkG.exe
| MD5 | 2932374c781dd16f1bb2a9478c3fb553 |
| SHA1 | 2bebdc469acb341fa93ad9dc00e206efe4472f70 |
| SHA256 | 3dbf79bedaf730efe6a7fb17826ec1c672b0d987f65037bd94d45170735e3a42 |
| SHA512 | 0cb1c946c088cc257c80f00f72b6a3896d671ce8f02916d309550180c5b353a58f82d53dc32cb358f4e7be022c0ab455471c7e45553f4775cb60d5b6633b1d02 |
C:\Users\Admin\AppData\Local\Temp\QcQi.exe
| MD5 | e41c4d7fe0b82153a4b3e5a7efda17e4 |
| SHA1 | d1068119f920f43ce95808a0e364e69637cdb18a |
| SHA256 | 7b53f034021739bfbbc0d61b4666dd137f8b55f137f05bfa5988afed6adcbea0 |
| SHA512 | 46a7bc019ea77811b8d07ea9d6ccda4f38b3edee7828768ce2cb05aca44dfd0a23122eb09672f699824bc4e9c04629338848bfa22f95c09f0e2a85ab4bbdf02c |
C:\Users\Admin\AppData\Local\Temp\cMcw.exe
| MD5 | d8237ed56d70b06bf3cbb9c27660491c |
| SHA1 | 6ddf53262158846ce10b9a79a36a527d7efd977e |
| SHA256 | 2e4d6aee45331fc77617b60ff9d22dd465dfeee82e1d328e63eec5e84482ba08 |
| SHA512 | 87b1924575f62923a77881660e13993691354c5019def8f37e3220da34bd57ccac6f51a03ac6e18b2120ed5f723711c9a660825b0d0d9f5f9cf69c5eeb950a4d |
C:\Users\Admin\AppData\Local\Temp\KEUU.exe
| MD5 | 910a5cab76dbdb90cd1a919e62f989e0 |
| SHA1 | 5881cfebd850a384fadf04563a0d0234e0851a9d |
| SHA256 | 09398ca29e05944884f8aa0445ae04b33bae217aaa7b6eec172776ed09b8eb18 |
| SHA512 | 2c9ded434ef4ad8bca4b995bf40f75412ef81b37fcb1953364aabc4e396c5111c6f9a40b59e6bb5384c1c7e128b57a1f016ede04dd1d140cd98dccb72452c137 |
C:\Users\Admin\Pictures\SkipRename.gif.exe
| MD5 | d02c6a462726de1f6f1475528381125a |
| SHA1 | 823f6bba6dea0690ee55955687ef0bfd0185cd9a |
| SHA256 | 0d9d47265b41b02b672759a702fb2ebd6a766d6e8ca0c7c03f21375d075ebf40 |
| SHA512 | 3e51487acb5774287764436c45b5063c1f92b85021ce7f7eb813fdcb721dc9316adc9afba8b794b655a146eafa62096d8ec78bdac9a8041d1260a3f4ee5ea431 |
C:\Users\Admin\AppData\Local\Temp\mWUIsgcQ.bat
| MD5 | 03fd9c3a723bd97924a725ef5eadf3ac |
| SHA1 | 1c7086cc42dae8e1fd0ebce50e7113f848895bc6 |
| SHA256 | 3e35dbca7f82f5621d379a9c33c2691851a5b8d499f1052352ea147800c248bb |
| SHA512 | bebc7c01d0435a954123ad211dadd226233c0cc13a6018253c987c2049f9a262798e8126b2f24d152d78690486619ca6143b98aa5baa6be307a0bd4a62e035fe |
C:\Users\Admin\AppData\Local\Temp\esku.exe
| MD5 | 2c6e240d9cf854af53d1c5a7e1bf17e1 |
| SHA1 | 088bb2c1454ac9eb6ca81fd67d9847e00757615a |
| SHA256 | de8977b5edb5e0cf1f305d6621d310eb4500dc86b05c360cb8ed65b1bb0898d2 |
| SHA512 | 44ac9da118b442806bf610a12443fd583df2e442c5cfd88e1c9616621c90b08d16c60c691aa96ae0b511b0cf8cf6e8a85925f32baf6cd2f8611caf2057dd1d27 |
C:\Users\Admin\AppData\Local\Temp\awIG.exe
| MD5 | 425de2bfeedb19d6a535b82d2676fd7d |
| SHA1 | a32fdf7c058872e159d012a38e84dbde0a94d043 |
| SHA256 | 46a465ee4d1f044c359be6b05309f82c6cdcff75c5e50f8c3bf16c94ce402f59 |
| SHA512 | 2c87dd9ebc1747019e5caae14f0b98a824c7b1cd641143906d1780b66fae547e985a61d834516cc590e7139a446292cff2bfeec37a79397613cfbb12f15eb176 |
C:\Users\Admin\AppData\Local\Temp\OUEgEIQA.bat
| MD5 | 3714d5e23c044647ce308a1ef4fdd471 |
| SHA1 | 4e9cfd37c519cff6745101ad2fabc6f0dbecfd1d |
| SHA256 | 52efb75029114f3bf16d15d60b9866cd99997dc6d2ca37d77a8394767ffbc187 |
| SHA512 | d916b3a83c619d6f69758fd9ca206c3d93fa3355a2fbe1d0bb6035e84d34b9676b223136b591c8e512f390ee2454e8a37506b8ca490688b8b32a335359b2a6c3 |
C:\Users\Admin\AppData\Local\Temp\aEEq.exe
| MD5 | d043c8de8cd2b42f05ddbe7ca66d90c4 |
| SHA1 | a761a8596509a79484e650451c57bc13a358af4f |
| SHA256 | f1c32907e66286d9e4a932af4c34442a885886a4746427dfbb0c71266dacab03 |
| SHA512 | 849835b0cf22bf88bf745d353682d122a7ade95993c16bbf7432af93039e914a1fd0cf944a031c9db7e00d3d6f02bab66539fb2ade97bf874ca2cfb26fb55468 |
C:\Users\Admin\AppData\Local\Temp\MkUS.exe
| MD5 | baa106bc55bad2e015930a0ce8e90784 |
| SHA1 | 9ef2b7677a958720c2ccdf01cb1bd87dde4b6ab1 |
| SHA256 | f30b57512afbef9cedeca6525357633468fe7143bd13c7a52601e9d77ac9ad18 |
| SHA512 | 43f1d748c4b636f4f7abca84f9aa770cd23140e39fcaa23293017373f536fd2e68b8f49d12f2e2d326aa1ca99f6109e472cd0a11d1043af272def44babe0eea2 |
C:\Users\Admin\AppData\Local\Temp\asUgQYQY.bat
| MD5 | 47d50c6d792a9f86cd2e1f238ea4081e |
| SHA1 | 68fbebd5b7bff2f0cc1a40876a751ee5d3c304d7 |
| SHA256 | fe61613dbd51dda5d6035c37ea2d55c7051089febd108dc306c900e30a5528da |
| SHA512 | 2b71a55491591469434ffa1402fff72826c4e011ea9bb34a9858f0cb53bfe5fd7645e767c174d895b05b4c2fdefbb7a7d783798cf691e3afa5ead3e697576f76 |
C:\Users\Admin\AppData\Local\Temp\AsQk.exe
| MD5 | 736cc46a0c9912c94da973fe7c26a0b9 |
| SHA1 | 526cd8a8e8db91cc977b34407b189c5b5e49a8a0 |
| SHA256 | ab16905f7e1b0d87cbd54168a297c0ff797429ba4d39a1638e0e7bf58e25a2fd |
| SHA512 | b000d39e9f9a9e8c4fc6a094a963fbcbb50e388267681e4487c19d3242badbf5163e7f25e5d7be289adcc970ac39d4adbd6f975892e101d5a2953ed6ecabd54d |
C:\Users\Admin\AppData\Local\Temp\CwwG.exe
| MD5 | 792aaaef342be492cb18f5aa4140f5d1 |
| SHA1 | 13d5b8eb1f861e5134c394bf38988dcacc753bc2 |
| SHA256 | 97ec2092da0e424eaf837ac0f60c6676612f81667d1c28d77ae171d81afbe88e |
| SHA512 | 0c6d5f94c6f99dbdb3f415587ec64b75b4eb39ee29a6c2725bf3612bef019d48b90583c66f8da6f356fa640c868a88426c2891676964f60faca6166691056bfc |
C:\Users\Admin\AppData\Local\Temp\KmoQQIAA.bat
| MD5 | 741d6cc4ac2cbc710e2bbce8e0dbc4be |
| SHA1 | 29097a81961c501a7db95b5968b9cb414b4d7f58 |
| SHA256 | 71c2f9c9dcfbcb77bddff7cf83c5e575d76742e0cf4d77ad16ece1482e5c3f33 |
| SHA512 | 8405ae461c84477808fbb12d7ff61725a707e84613b2285664ebdb1e623fd6d2628f12565d64bfac1c22d22201d8326f3f2663eb4b9a952bdc6f8d1adbb2d580 |
C:\Users\Admin\AppData\Local\Temp\OEUW.exe
| MD5 | 7de50f80582b35523c9374c8ae58ee80 |
| SHA1 | da3db235140d341e16f3ed0772d4213db6d2628a |
| SHA256 | 05aef5dad2802cad2dc1efedbcc9c40744a7c21e1afc3d7d49bd77257636faac |
| SHA512 | d6b4f5076eb884b9e75473fd6195962afba52f9f64c8bd84c33d5a4552562aa6de94889c90b069a3da5f4f0935caa1b339d0a97cfc7abb87fc913df53a0badee |
C:\Users\Admin\AppData\Local\Temp\cgsA.exe
| MD5 | 84090378f6e0e7827c486d99269a18ce |
| SHA1 | 7e44a68c062df50933867c6ea4b52f23cf02d5c5 |
| SHA256 | 8935e9b2c4ab0af255b7eb6fababda65cacf442326d78a96023e7d55166ca002 |
| SHA512 | dd94e10425cbc991d32ac82122c2e2b0d40885defd522cda713a67ff1439175e14d89d67abe18bf6bdbc243ec0a5451be891716c2208ddbd68def5d170a71966 |
C:\Users\Admin\AppData\Local\Temp\fwAYMsAU.bat
| MD5 | 5a98e3d3dc13db07130960e3b27ffdf3 |
| SHA1 | 50ea32d6ed29216a175e6c5a5865a25afe8ac6df |
| SHA256 | 8b272e4f1e8762bae5e93aa576d4b1ca4be6cd8232faaed6eb08963e74dc05dc |
| SHA512 | b8d7c067ef4e3a558878b2f5f9bb0d570887c4914ece60a049554f4e3638a5eb6d4b96b8f3d323911b983fd200164085eeb64de57f86d3bc1a7674b130c33e8a |
C:\Users\Admin\AppData\Local\Temp\YkYs.exe
| MD5 | ff2e57a91e36d0e6650383de2da7eec1 |
| SHA1 | 3de75583e4cb1e1638057eff76c751672b1ea53b |
| SHA256 | 93a0af3633c8be64fd3ce743bf25d1362ccc62bca916cf3827b05c7131db3dee |
| SHA512 | 72a10b4abd0abe5507513ec9d0f19dcf5f91fc57737a998938d2de7ccb38668ee45e08082a715d7e76d85f04e0f85724e6942cedeb7be11e9ac2806bbc4468c2 |
C:\Users\Admin\AppData\Local\Temp\QAEI.exe
| MD5 | 91707097910a90748d7a1c659ca094ef |
| SHA1 | 95d790836ad45118192d6c9d4456781a8dd62f3b |
| SHA256 | 1152ce1c186c0b79aa6e8a6d40936ff6e7bf0a63187fdc6043440a2cef251d3a |
| SHA512 | e18a6410afd48dc14eb9aaf8a099db6f2d247c6d8d88629ada8d9375e968e4b0d5dbae746c358ce5dc4d040a92d167cc7da09cd33c85c5d88f7291d0b353d79c |
C:\Users\Admin\AppData\Local\Temp\iEEO.exe
| MD5 | 99b892c140a1128f10b5c650d6f5c38a |
| SHA1 | 44f232d109d08703ab9ec3891d900057326fec8d |
| SHA256 | 3d0b2761e28f2730e30c3799df4e0441f160eacf6c1fbc6417af45efef27bff9 |
| SHA512 | 0cf1393f474290eadb59bd09d3ffc28d20704e1a2a15c9054bb4b10e4d48394b38b2e2051f7de6e0e939c494c056d4eea1f6542ba6a34dbfae5d0f470f691372 |
C:\Users\Admin\AppData\Local\Temp\DEscowQA.bat
| MD5 | a739372226833c023b6440f448fc6589 |
| SHA1 | 998c1560f6f08dd0ebe0ec3ed6540e7c24a4b24f |
| SHA256 | efa613b821c340def1a617ad9a5ac448a1eccbda3c9c5e9d8f335116fb854866 |
| SHA512 | 24a58abad9eea49b0578b34653ed7a4d26232d398985c13ca4c8d69e29be5072d676305f5e14a6ccda7d3336e7306354b6805a01e13858ba11e9d3319d9425ac |
C:\Users\Admin\AppData\Local\Temp\ioAy.exe
| MD5 | 26d97112867c5f768cf86a9cfeeb2a3b |
| SHA1 | 62e38fe2ae0314d1b9a36fdcf80f9ffde105c56b |
| SHA256 | 324448c5c92b7778ffb3d40ed512498f306c4af6dcbefad3afb323ad9f619398 |
| SHA512 | 5b15a0af1df0417b8e2fb0dba700054c1d46d7a57748f7a75e3b4e3737b39d548d8459d60af902e4600e58186e6d72293b8807c17cff14d99e86d010ac4abac9 |
C:\Users\Admin\AppData\Local\Temp\mksa.exe
| MD5 | 34de152b0952786100d3ac1b21ad4d6c |
| SHA1 | b7f87b377e2c6060e46261a0a3e72a59589ac361 |
| SHA256 | 3ba8bb13734d8943f49f5680c3457ceb05645e50b829488636a5e0bf9218ca0d |
| SHA512 | 3aaa9a8f47770024314886e710b5df440f9abfdf854f6d155b77c8521f2c9eb594d993de64cd91e0e9854ba61ff4182079e30bfe08f8fcb2d2a1a785a5ac1538 |
C:\Users\Admin\AppData\Local\Temp\ByogkAQg.bat
| MD5 | abe8bd56e8f424f44bfdcf5ddb59e815 |
| SHA1 | d0bc16c58d0b9e5799abc3331a29022271a302fd |
| SHA256 | 1ec9e7d460500c07ffd3768c2518f1feb25d538cfab31015a69bcc4ab720eb49 |
| SHA512 | 52e99785893150699e9e875de2f494126d8dd8302129a1020bb7a272adaf1b3309fb37983a2a11d0f04f51721abcefbffe5f26884995961ce2db3e074df42912 |
C:\Users\Admin\AppData\Local\Temp\oIIc.exe
| MD5 | 699cfeb552ea9f44f4408ec0b2e2e132 |
| SHA1 | 3b5946a03a4c6d20b9f3a731c23f207a1b7ac944 |
| SHA256 | 0f8bc331fe0333c312e9cd4e254eec769ff2a7f0a4c55c870b846180fba14a5b |
| SHA512 | 02af7b40c27ca0e663dadb41182a82c7f69f4b7e30fd32fad33d16361daf56ab938856c1ee8e32d1ca732678203fa205b39d1687673bda5bcf27dfab9f1b30f4 |
C:\Users\Admin\AppData\Local\Temp\AEMw.exe
| MD5 | 69a04597f15b67d551c5cd9c764613bb |
| SHA1 | a90901a87eff3b0859793a66d8379b83c19e5d34 |
| SHA256 | d755a5bb553b5087cbd4523a0c1831da22fdd63a8deb25ac20c3bcbc4201a987 |
| SHA512 | 1c861cefd3f59f1f70cb17d00e7bf62c2a154c6d415bd0801babdf16c280ab2f3f4eeb211a6e79d237a71306282ff5dacc138c8ac432a6933bda8d3d618eebda |
C:\Users\Admin\AppData\Local\Temp\OgIw.exe
| MD5 | 3bd9566cc240bd61a4451922c240494f |
| SHA1 | 48c989dbf5c3e105ca4f52528abe964e0a49a2d5 |
| SHA256 | 56682929f9e6978d78fe1d2b59744e3eb3936bcf78d0fbf757bea875b9af316b |
| SHA512 | ee14d3a18ba23d0c9716ceb7db9121ae6a8546813b554b7e16198abaa4b73caf851e69aa18f355d266c3aed62b59411cbbf8b9b38d93a19b21756db82f0bf59d |
C:\Users\Admin\AppData\Local\Temp\IEwo.exe
| MD5 | 2a28fa8df894a1940b5b317bbf9e40da |
| SHA1 | f09267a4a3f00f0b1bac7726e9a340e9e63114ff |
| SHA256 | 8ca1fedba3fe285c5e22a43e9da668da04aace6b7a839df81a96abe53b21bd1a |
| SHA512 | f8f1691c178e65ba6322ad0532dcfc2805ffcc32519562f7400de445d5830288fc883c2747a5fec43d7746782a69a4157622ef1289f4ab9df3f1055dcb4b0fc6 |
C:\Users\Admin\AppData\Local\Temp\pGskcUEQ.bat
| MD5 | a9b3d6a83c8731d2f55c60724412d2fa |
| SHA1 | d9c62d49088fb9592cdb6f55c48a6bc61b5be626 |
| SHA256 | 6832b35a62ccc50f798ee6b53cb58983a5ecb3afd3a919d6e8c4457c620c9776 |
| SHA512 | 8c393fd37fc7deaf5a9298ce6ecbc9ab586efbed4a3fbf5c3e474ff21f0f40ae62a432cebc417729906a08c965f2030107cb865078f978f4caf3459c0a262b44 |
C:\Users\Admin\AppData\Local\Temp\CkkO.exe
| MD5 | 6d5302f73e4fd329de65985c63225121 |
| SHA1 | 0bbbc3c2f69fee07c434a58b4bb8b057cb3b3b0b |
| SHA256 | 460c55604f2197cf97004bc707bca2a080c41ef707fd942d054fa16f12fea426 |
| SHA512 | 410f2d8ea2f8725a080edcb58209aec99d8d0088da99bfd2f2d16e8cfd8538a0fd192f22e666d05e1dad1f62818c1c67d1e9963be179420c02b599ea00704dc8 |
C:\Users\Admin\AppData\Local\Temp\qMIe.exe
| MD5 | 8a514518efecef3df371e50119987102 |
| SHA1 | 9a665c6c3e2f5eba87f33bdd98b42e8b34098fe8 |
| SHA256 | d325851b5a426bdcbc19df2305244cd59fa78ca6011be08bdd413f26e64b263b |
| SHA512 | 0ce4593b7c6aab298ecbc3c1c67d65c9fdcf97ff4af03b3ea7697490dedc9c499c9f6711a95cdf45e44fb515b186e338368dcbe453b1c45a1ea92b30cfafceff |
C:\Users\Admin\AppData\Local\Temp\RSYkooMw.bat
| MD5 | 4f6f3a00f9cf471998b50a5618d184a0 |
| SHA1 | d29c3a56bfba0347a5e1292711ffc3822b571ff3 |
| SHA256 | e0a866586d152affacd825d1d20e8f74412d7edcbccbb437fddebdad14ef4847 |
| SHA512 | 4e06c2c33398488090582e0f5d791d1c9fcae82f1e2cd56ad05ef6948afeed1fecdd161154c58aa1c6b77175488c03f466faefca6290865833f40549af3e1813 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe
| MD5 | 1344cf94be08aa9661a75170cc704e08 |
| SHA1 | f7aa46cff9bc9725ef1af6030f4d2849f42d6eb0 |
| SHA256 | 204b087c0bcf92378f6caa1ebed4dff62a494dc56f6838ff266e8fe31ad8ce16 |
| SHA512 | 216483e6c8463affec0b6982ef2cff75abbbbd1de5a74a4d9fc1f5a4f55fa8739aa9182b24bfe077b46f43038c3c8528b1b4b29ed0656c5159502a281c8b39af |
C:\Users\Admin\AppData\Local\Temp\cEQc.exe
| MD5 | a9a1abbecbd4cf0d9003418178ee08ed |
| SHA1 | 592da7072cbddfb1119a42935c4931397d1ecfd9 |
| SHA256 | 848d069a4422357f7327a0dc45b417c1452cb4926f064fe1ecc248d164fcbe49 |
| SHA512 | cc00116def21f049791dbd1ed91d956da23b19235406686162de2fd0789d9497ef1ab516dfe6daaf7116f80021d358d3fb20598cede131187094062735b5ef29 |
C:\Users\Admin\AppData\Local\Temp\QokK.exe
| MD5 | 0d743c5819fec6ee12a408497efdb37a |
| SHA1 | f82849f840eb2fad8afd474fb632f785b61ea9a8 |
| SHA256 | 6381d7288769d785e725ba39dcf307ed8012f4802b2d94f33cd2b39eab5248f2 |
| SHA512 | e34fb0c24db47060321c771a392c237006812da7c95d015f5e7b380e5217fb1de823fab689121d68ead16585b43f83763ce6c9e6350222b6ed1e264909e53df4 |
C:\Users\Admin\AppData\Local\Temp\qokE.exe
| MD5 | f0f899527460e4a659d347ebabd2b4f9 |
| SHA1 | a076d28c7590317169753fa0490c859ba45c848c |
| SHA256 | 7f34e12453a12b7a326682ba7369504d3b823d8045a632c614cb6f2c20a1ef69 |
| SHA512 | 9a15044bdb1ac280230d93d2f17ece84d4a6d090d0ab5bf01f6f8701c9e4fd206663dd7e2764f5a6af5881357b4c22610be6e202a91dcceff57ab9e9e30e4bb1 |
C:\Users\Admin\AppData\Local\Temp\uAIw.exe
| MD5 | b33b635a6f27db131bcd8b92433d08c4 |
| SHA1 | cf081756dbcb837433865967d09a64667452c328 |
| SHA256 | 355c5d59c2730a4095315f3dc84fcfcc1212828b053a280e287e231bc837603c |
| SHA512 | d328c1bd256bb07bbb4881ea3e79b55b78f6643e47bb8cefe0c27714caaa4d551256812828e14ed682ae20a90a91137d2e88adc90a7789c5463313c322950f41 |
C:\Users\Admin\AppData\Local\Temp\sQMssYsw.bat
| MD5 | 1c0e3f3957d1f8fe655df64ff83caee1 |
| SHA1 | 073dbc69bcce68c451713ed8817cf22756da8df6 |
| SHA256 | aee3042d3cbdef09ee81954829f897fd5b13b4d72315222b6b958b00d7a53817 |
| SHA512 | 0d403c785194f1593a456e8aadb2e05f76ff316cbc14b974e690be9690619d2776f4580e199ffc9afe776f443f0ca254dc0dd82449e72d9be54f8d7ce28d3be2 |
C:\Users\Admin\AppData\Local\Temp\YQIW.exe
| MD5 | c9e717fea98f27788b8aa9d75e92e6cf |
| SHA1 | 8551a873dace9cfbd911eac1030ca187beca4dec |
| SHA256 | 89d7cc1f3be2fde806d0196924484f588334b91bebb11ad3df7d3fd1ca9c8ad7 |
| SHA512 | b583e49a932ef8bd6f644ceb51bf84d032dd3ef3e56ab0b6e7e8e9b3db8b469ffacc22ad9af4b4aa418d38c40a5823bb59400aec0786e164f1a4c62e29082a03 |
C:\Users\Admin\AppData\Local\Temp\usMk.exe
| MD5 | 6879b7d2482c1c46ac94f5b13cab0317 |
| SHA1 | df17ecf1fdc470cea11be858c2496f6d1acdc0bf |
| SHA256 | ff6177732634b543fb2af43f6b4526b2a385bc92e1b67bbcead573e6f35c2397 |
| SHA512 | 4fd5d872bfec650f98c8f8d0756df1ee7a339a581318cc21fb7c2e7ec847152c82fce91562dc575b1b43e7d8c354790a81f309cad1714594c4baf238814e2261 |
C:\Users\Admin\AppData\Local\Temp\AgQs.exe
| MD5 | 021e54a21166ef99772d7da0d32d85ba |
| SHA1 | 698fa0f67c7d26a54861950f93b12265d3a53854 |
| SHA256 | e1a460ea0f8af0424797f9637474fcbbbf3e3e6f563112eba593989791477fb7 |
| SHA512 | 6585bcccaf26e93e27dbeb1d78b3b8b9223017d97879fd2113d6aeb775dab0439aad5a7c1e9f4d7c396d65f063fdb42acee24317496dee7489babe0fdf55c83f |
C:\Users\Admin\AppData\Local\Temp\CkIE.exe
| MD5 | 4faf40311c371cfb2fcda1cd19431ad8 |
| SHA1 | fbc6ae7b04d593f82cab88c62eed1599bf383bf9 |
| SHA256 | 96b2301e33e2613408856495d2ae1458372a583e375ceff30a26350be5ac383e |
| SHA512 | 3517a6bf5bc7003de85af2bd7306d0cd8ae851789c1f880695daa4fd823731dcedc01abd99a39c9815050aac49656755d804ea9888104ed382f51c5930114f9d |
C:\Users\Admin\AppData\Local\Temp\UEcq.exe
| MD5 | 71969bc33f2597a4c642853890ff9c8e |
| SHA1 | 4ff8a4591ef824100293606d02dcd37958621ac8 |
| SHA256 | 279ef81c0bd3abc566010ab08f833697ff78186289cb96de743cc1b7fb874a81 |
| SHA512 | bdfd696eee0abc4ec8ace95babaa72e17084e2cdc043e6888de7575e6104630ab949bd1c53ceaa18c527d278f1756e57f3f0a2fe3013d5fbf2f7530226232b0b |
C:\Users\Admin\AppData\Local\Temp\ieEgwEUY.bat
| MD5 | 22d87009dc31325c109df638127c98dc |
| SHA1 | 08d5f5baf6f8c096763c18372defd6452626f4b2 |
| SHA256 | dde0c37b0471c693e2cee43779ccfe8e62e7e9646234c12f20a94281cf3f681b |
| SHA512 | 02a19210d658812fea712bd666e03b404a512270aaa283fdcca8ecd1fb53c8076ec5ad1bf1fbfb427f9bc97f254f451758e2de8383fb15425cacc63f92ad43de |
C:\Users\Admin\AppData\Local\Temp\yQYa.exe
| MD5 | 7d35dc1b08bff29eab7fc92b2b768b6a |
| SHA1 | 4833a359cf84ec01351c1f46f82f0ab7a958b281 |
| SHA256 | fd361b39d25c1ffa044e772a04beea874278d1285cedc7372c08863994ae01d7 |
| SHA512 | 20d3884347df3acf56e9d16fa276b2551cb1cc397c36ed871c5e188c1a81a75a48bb66f345aa23b7e65667447560958fb23a7acb32992bbd4e12a40617ba4933 |
C:\Users\Admin\AppData\Local\Temp\EQAc.exe
| MD5 | a257addc022a7693f319952436ea1de6 |
| SHA1 | 07b196012e3785344e0459650818880969241537 |
| SHA256 | a062c20e84ad62dff8abbf643d05e9fbe38a02bbf11efd726935707bfe5ac1b8 |
| SHA512 | a898112766d18c3439dd12f7c86e4200d7d25f2de36a2567e4b3fea451fb33bae597748ec2c66014436259ab664c098c3192b8d30e802747ae86f286cb689903 |
C:\Users\Admin\AppData\Local\Temp\yYQK.exe
| MD5 | 1d53a5beacb0ee26807ab08d63621604 |
| SHA1 | c2ad60bd929a6ecc1e01d2574935f19b852a1f26 |
| SHA256 | 91fbd7b40a1fc3fd927a09006c3d11c9945bc0b74612a7ecfc2b752a30e70329 |
| SHA512 | 83ae0189bb880fe82ae83e2059443919e0fcb0339d27d2d6e1a553bf213f7f3377760402285e8ab39277963b9c199b1c4abf2f82b9c8a42c09b3211dadd6cd84 |
C:\Users\Admin\AppData\Local\Temp\meIoIkYc.bat
| MD5 | 38f5aa9e647da46d27379b64056c2f46 |
| SHA1 | 3016e03e3769057b36fcff7c412fdf998d1e5525 |
| SHA256 | 9450c88efbdf8059cea8607977b27a1b910132ab75f2b0a77e8875b493b9f862 |
| SHA512 | baa53b3bd72a254b104fc1234c31994ee5894ad8e5894b504b06cafd8cac3858a6eeeafe07015f794805077c6ffe850924136189faadbcabba8be974f184ea76 |
C:\Users\Admin\AppData\Local\Temp\WEMo.exe
| MD5 | 34ca11bac21675ee82a18878a63077e6 |
| SHA1 | 6b95f96511c9be37b3744df4ede1a5a3e75663df |
| SHA256 | e670459c9185732a5d4865f7050975e079e5e697e45dde91bd2699ac9f4c2164 |
| SHA512 | 55f557dde93a3edac0f007698a811491f641aeb1fbf1b1d8c48c8207d35fb2dc36469c02d6d166e669423e34f4ef32bc6fc9edc2d80d9a022be365a12deaeb8c |
C:\Users\Admin\AppData\Local\Temp\MQMe.exe
| MD5 | daee56dfd29f4752c63173ac602cf7ac |
| SHA1 | 2bc85a28278f80a86aff4fa5860df8a2547bf149 |
| SHA256 | 6d41536803c4633be3ec4accbca2c15959abe9fe87e8f37c28abb44fe5e71f06 |
| SHA512 | c2e41f40bd08f38a613d93a31b6746c505ca86707af956a6f79d7ec3789f23c4b326668b3a19e79ea3c847e2e68f5603f03de280b8829faad40ff37d04688089 |
C:\Users\Admin\AppData\Local\Temp\SkcS.exe
| MD5 | f0d713f45c0fa187c9eab5e9412f6033 |
| SHA1 | 89ad997ba93f8858ac9aecc07958d74f8490e9a1 |
| SHA256 | 6b78cb305ddd49c6951dd3cf87b63273bd292df5d5437508ed8b5e51f2892516 |
| SHA512 | ad30a73042b900510ad8a4ff29208037241f794355c5dbb0e8e760e1109df41a0489306b87df8bbd6c26f20c4521f3451ae2dbc3dcc72a5408c844d471426495 |
C:\Users\Admin\AppData\Local\Temp\QEIoAooM.bat
| MD5 | 9ec10bb5c27eacf4046f55c700ff45d1 |
| SHA1 | 48f6c8b3d350b492e39581e05988533f1b22c172 |
| SHA256 | 376d8f7e18574ff8c824e5644825617cf664ed86968945a66936c09f9f5d9b9f |
| SHA512 | cb6449cf31614170e2e2e4e239dcc28783d7be10191e6c584004a18dd981db5a39c7dfd42fd13bf3b35de57ce89f8eea1297ed21431542dc01c79b3f486378df |
C:\Users\Admin\AppData\Local\Temp\eUAQ.exe
| MD5 | c95ef80e4073fb2c5212fa792cef6f8f |
| SHA1 | c2996d6ef02974fd29dcee2f6101277bf9d256c6 |
| SHA256 | 710f6b2b7b6229c573f00b80cbc8057a913b82e32b26c82b99cd17019867964f |
| SHA512 | dd81a6ab373eb4eef89ad182f5365dce133ef86375986a79ba30518d8a324d9e96b492f7aed53a583a042b08eba708c11239663e8de2a5a533c2e0683e4d2118 |
C:\Users\Admin\AppData\Local\Temp\KcMk.exe
| MD5 | b90836a349fc03b9863a9e06a32e35a4 |
| SHA1 | c0e24a206094cf4ebce1ac13238e321242caeb57 |
| SHA256 | 18590ddc845cd4779de543e1889f3359f651cfb1aea37dc1297f57c2db51f9f6 |
| SHA512 | 6696745480283361f0f202d36e2f96eb4bab85fe2748b4fe91d9f4ebb9704584bacc285e5b88071e878e2ad2e24c20bc1a0a49ed8b887762884b7b4ce3df04c8 |
C:\Users\Admin\AppData\Local\Temp\uAsy.exe
| MD5 | 30cd3cb783a3b2f516af17fab8faf34e |
| SHA1 | 55094dc1fe554fb2a889f6a3cddb3c0f0a40a6fb |
| SHA256 | d6823e345d11dd630f83b1ad493516517bcccc46a2c55f2b7e8f822054bb3df1 |
| SHA512 | 6ed18acfec3ec279fea4b016bb301fb968c66888047808aab8e6454089bd6c80d856eed9ce0b15537e2f6019e8974a9a04255195d4b722126301d2b5b9e3e358 |
C:\Users\Admin\AppData\Local\Temp\FysEUkYs.bat
| MD5 | 0fd2f5c1b85b75cd5c918f867702b0f8 |
| SHA1 | dbd8f0b17c7b41553cc689028e21f3135936991b |
| SHA256 | 69e4c6afbb44f82287949719933a107baddf3f53e0f578e5326e3cf4315a08ae |
| SHA512 | bf8e6e07d799f1a04c6f5e7be265a3fcb4b733040cbc0fb3d10ab87bda2915c12328ffe6afdb20db19753fe616b43885bdc4969b47bc6d259f490ee1bf694590 |
C:\Users\Admin\AppData\Local\Temp\UgAK.exe
| MD5 | f2a1618e2ae2680219979f80eae03d4b |
| SHA1 | 8b3a157c3207660612ea868cda4e3c30561a1d85 |
| SHA256 | bb978b4319deae7842a070039320c208af75c78c46bb08d50496b4fb9b1d5d1e |
| SHA512 | abc8c847fd237042012d1b9866ccc02d619223c2313432d5839a1ecd677b6dff62eef1e7766393cf1e70aed87a9de49f34292467179946447aff4a1898b35e61 |
C:\Users\Admin\AppData\Local\Temp\Agso.exe
| MD5 | d31d3acc943bc6089e6d66c199e3a0ca |
| SHA1 | 5625bf79109ced1ce3934eef9762cbb0b3f0e23d |
| SHA256 | 911ee6efb4b75e4a3de40adeeec5fc0a8fbca9e97ecde3f649d4c5991c9efadc |
| SHA512 | 648710653b48537868bb357c18db1c2980c10a88bf87397b000917164ce1a6ebe4406b696ce1097d99577904ccb873eb09bdbd53b0b304e8ea547232fc43b678 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe
| MD5 | bd3620d10405f024c6c1bcc8fb336751 |
| SHA1 | 089be102115a8291f60d24f661d861aa28606f3b |
| SHA256 | 0badabbd0b173f7f180a72087553045a9a74a1f7e86725064407432752661517 |
| SHA512 | 86f6c48cc83eee1a8470f4bac14f760184300964d23d504b65127d97ca03e8030b8a08c0d0ed157acfcade13d8130415fcfd057eef6a8c43cf3735a4fe523a25 |
C:\Users\Admin\AppData\Local\Temp\XIcoQYco.bat
| MD5 | 23272ba8753a6c994c32fed7d19aeb2f |
| SHA1 | 2d64a37b693b4b621dba64e2287d145a9482fc6f |
| SHA256 | 040215464baab943dde66814658fde25184d5af5b73832abf197b96766033d6e |
| SHA512 | 3e22080c07a199883b71abf758499695193a3fd2687172d696952bb57b82f2f7d5a2c817d797fbd0a74e026055445a9e5d4ddb87c92ae57adcbf8f413f4f9204 |
C:\Users\Admin\AppData\Local\Temp\BIUUIwME.bat
| MD5 | b36ae33d67be333b8e902cd7680ae4a4 |
| SHA1 | 38ad0055538e19f4e8bda9012e0e34a53d2226d1 |
| SHA256 | 5ceab7efc7955a15af67e978727bee0c1b3f2213c06ebfd9e0f8dfbca48806c5 |
| SHA512 | 5352fc9db65b8cdc6e5a6e767b0046c0bdd1b0e720c39efcebebffe3fc7e2deb32fd5554c546b16ced565da63b8cdfc7f3a9c257fbb0104c0d7073e70fbd9165 |
C:\Users\Admin\AppData\Local\Temp\SAIq.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\KoYi.exe
| MD5 | af6c29b6ee92a0e6183c5ae57dbc9069 |
| SHA1 | 4851010f5d91fc98189515bef83697e3c64a0992 |
| SHA256 | dfaed46becdb0864bd51f1183ebb779092cf1b53f6d17e9ce56e3d09275f5946 |
| SHA512 | 829c04378ce5bfd77d8603b48b96276f3d647b1577bb39cff956d75d8e4aa372c8d0ecb0c01c8b89b03d4ffa83f8134e5b5af11f9b5b292339c68127e1822dd2 |
C:\Users\Admin\AppData\Local\Temp\McgQ.exe
| MD5 | e08fc116fe327dc0dee82cb3b5d708db |
| SHA1 | ba099a9e8e0953ee30916f3bfd6663dfaae1e828 |
| SHA256 | bcb34f7ceb691783f295ca852405848e7afdbfe1b40be00ac04af587cd33513a |
| SHA512 | b4f453630a364025938522e1a5a4a9028cdbad86a4fe2ccf091e98cadd66bc94b0ef4867d67377a04417213b3e3af62c74b4c1d2d3940aeb4bae04f59c76f4d4 |
C:\Users\Admin\AppData\Local\Temp\SkoU.exe
| MD5 | 7e7b6a7f461addd3d610f26242416e53 |
| SHA1 | 083217e00a4e175b7b4db59d514bc9475edc2249 |
| SHA256 | 1a6f2eeef9877295a5f68fbe32eae11bde4827b7e26939b6e3acf6ae09bae4f2 |
| SHA512 | 3f675a6582dc0a0ef582cf85932dad0ee7938e893633d1f611e31731a39564d1defda4dbc75ac7f801c65ea8a5262b0427e8be95b92186bfb0502d6f43c425a5 |
C:\Users\Admin\AppData\Local\Temp\UUAw.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\aIwq.exe
| MD5 | 181278048e2cd5e9cf74f8ac48b5cd02 |
| SHA1 | b91aff7d1e863b298ca5805c2d9df5d6504480f7 |
| SHA256 | 73e21734b3c81295c56a02bc19750e6a2e57307928304be8987794ef168c54dc |
| SHA512 | d46081c5ddbf1eed96238aac1c355842459cdf5ac46d6b1d15131c633205b7e6d713ffcfd4e81d2fd47cf1491e693e8f7725a69d7976c69814eb3472fee20af9 |
C:\Users\Admin\AppData\Local\Temp\eqYUkAsQ.bat
| MD5 | fea32997ef7c49d96ab712b7530f4996 |
| SHA1 | f619a7bf3399e1e450c854e169bbd9c613bc295e |
| SHA256 | 53d33baea6f963789252b491817c99dfd820f7ae36fc13d15b4bbdadca6fd530 |
| SHA512 | dc0c680506cb9cf5829fb7efb7f79849db8102f56d2e8d9855f9a496d4d9b8ae3c133548e8538620fd749cf8434523e98b5e1490d257b8a18631fb896b635584 |
C:\Users\Admin\AppData\Local\Temp\WYcG.exe
| MD5 | 60686c726867277db3340a3d17def19f |
| SHA1 | 3aa26559fc29c26b201a32d94f791bf282335f16 |
| SHA256 | 201c07355c798ddbf56f0845b27cd5b896a6cc163a1df5a3760ffef153010496 |
| SHA512 | ba72cea43b8b62ad4abdd2a08209cbd5f677178095dc2b96eec020c36d96ab01aed5041b82dd7c79717c2ab7d3b4f145e87a579ee691bcf9e91c6dbd512df2fe |
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe
| MD5 | f73d982d501c71e56fb775f7b7eed848 |
| SHA1 | c1d525d9c15c298bd159821eae1932ff429a1139 |
| SHA256 | 062abd92628e41854fd84682c72481b2c5c6caa9b32448c2f704af6a7708c38f |
| SHA512 | 923ac3aefd7ff71da694b9e700b0eba7d5d855856b412c5d7c9b7de315c38ddcc1f4f7b3c90c927839220f075bc4e8d7454c2751a130161d0de00db705d717d5 |
C:\Users\Admin\AppData\Local\Temp\GYAm.exe
| MD5 | 5e14f2be1a11ab3e953c8f96aa554910 |
| SHA1 | 095e92a9b662b365282f8a9e566d32a1f0f09870 |
| SHA256 | 8f21c195384830dd6a7f75cb5218f7207b5f56f3f01765a1ef41e589c0ab4dbf |
| SHA512 | d3df67e7fa3e2cf036884719446dc3000408bafb41a993d5ca981bc1324b3a3f74c0260865825630dd1377c109d375746277d20f08f022ab13cece9186efad6e |
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe
| MD5 | 0e5a52c4734eb8eb8f39f8feb91b1525 |
| SHA1 | 689b5f3748203680ed5dfb70250564c28e454fac |
| SHA256 | 85bf26a029e79d8f2a0444e970b68aac2c97daf6fa01f618bb3a94983820df7c |
| SHA512 | cc419b9053b4df60930c9d4db878d25d114af884a72a84068503254a00537db3b855e3112041ccf3551c0eaa04b6383fced6cbd6224c99e692c4b9bfe058b9bd |
C:\Users\Admin\AppData\Local\Temp\oKEcskcU.bat
| MD5 | bb96748e1a64ec6ad28df94573758dfc |
| SHA1 | 094b16b65189208077388ee70e0db815f6387829 |
| SHA256 | 4f57c44e660541002b34095d7222671ee470b44d77bcb0c0bbdabf421bac0a3c |
| SHA512 | 323e7aacc627a64a549352ae9f3d571b89e63a4b26f7524c6b19c9b3b9ae789959def71b394ffe5fc1917c8e2d85c88e3d10c54db628a4f892150b33c7aae7c0 |
C:\Users\Admin\AppData\Local\Temp\IcAe.exe
| MD5 | 59b1557dd1f4c14078f972867797683a |
| SHA1 | 1d419c97242124a5528fed8bfe55a1f61d1f7a4c |
| SHA256 | 6c49d6b314457e55707ffe8e58833d470d22950639480519dcf8d1fed882ae70 |
| SHA512 | 4da488e1d7eb3c489b396916539c7d62fbe46af9e3bb1e91cbca524ea656d59e26ef537f005bce961f736aeb77613f89dee68436eb43093d424d0cb81a4d9b92 |
C:\Users\Admin\AppData\Local\Temp\kwYA.exe
| MD5 | 9fd8fd35fb3822c55cbe099e92905814 |
| SHA1 | 0c67a2dfb0427ac10203e82881fac25cc71adf8e |
| SHA256 | 32144d30b6e83cbbea029cbf0d0997c677ef4ed2cee448f269c66c9d265443d3 |
| SHA512 | 9d7529bd2e2a4e6a8882859d4dc19c341f13ef27acaac7066a077672e444c850893b94694f5bcc7f9eb4a626be66fc6650d6d8f379695534db2b19f8cea0622a |
C:\Users\Admin\AppData\Local\Temp\akUckcgo.bat
| MD5 | 79de3ff311a49f62255ecb2d4689a629 |
| SHA1 | 11bda7e2a3eecb6e917cb716d3f74f007d5c6df4 |
| SHA256 | 7a8df5944a7aa1b2dd4f4636d7fc99a3705baadcc30951ec0c56dce2917dc332 |
| SHA512 | 56f39591017bc86539c471611540ba85388772a9a603fd02a35b3f9465f3a99ab39eea3f81c873abd85a7c2a2bae63beb819b51ba75f42f515e64476b8bf96a6 |
C:\Users\Admin\AppData\Local\Temp\WegkQogs.bat
| MD5 | 4621b836b3d9dc923cbc75a8f76475b8 |
| SHA1 | 0665a739073aedcba27f382863fd25e06072597b |
| SHA256 | 579b4c1efa4022d0c520ff65e25214a4e1128901b71f2a054d530cd23574fa92 |
| SHA512 | c1a85d7bee7270c6cfe910e5e5cc50d67604a77bb10d2229bf124f554b5d8e5795c99ce11bd01b577d8d9fb4934c3cdc9531a3c07e362cdbf13c95abc8b3591a |
C:\Users\Admin\AppData\Local\Temp\KkYIwsEQ.bat
| MD5 | 6507c965c7ca51c87f9743094ea16e28 |
| SHA1 | 6242860f6703004c85f8888f0bf8e396f14f7df5 |
| SHA256 | c53b4761b1b8f389b4f39656765814acf2718dab41067709c899bcd4e014c463 |
| SHA512 | 2284645b1b09239eb57c7e216a4fa2ec7503c7e3881bc3e3bec5b17e98af53bafd5eb5886597352dc3938bacb581bf8d7b7ea122635a5e659f26415b4008d518 |
C:\Users\Admin\AppData\Local\Temp\lycgwUAE.bat
| MD5 | 2c0a5337bc0285092f12327da86c7396 |
| SHA1 | ffdf2c1c86e8247d753d1d36e6cb1b9efd0f7c8c |
| SHA256 | ee4593f6030a5f64ed76c36c123b2533ab86ffd79a2f824ae811fcc22f5419f6 |
| SHA512 | a41d1464bd214562e1f54ad9e1b16238ea9f0d96b3de0428b4e5f54798ae9588aa938ed45376d47c5797e1dab94dcb802e41abcd9160412f57ca0523bcac96fa |
C:\Users\Admin\AppData\Local\Temp\xeIkwsko.bat
| MD5 | 5a419d1c913951bc0ecbdc2a224f43b5 |
| SHA1 | 429e47b551c44770f694c73529b848bb6cf10cfd |
| SHA256 | 05eabd04c1b577e2b9c96388659c3140b899f47da3ee2cb87c838fedca9fc87e |
| SHA512 | 89ee8d133850133beb3f188b7317fe1a67f127c3a5715f8fda7b97264c692223e05f1547f26c69921988f2c66dcd7c9ebe6f2b9b1b2b1be2174491e1af2518fd |
C:\Users\Admin\AppData\Local\Temp\LOgMsQcE.bat
| MD5 | 177f5215dc96b58d071a0cc1943242d2 |
| SHA1 | a7e6e9ae8179b62414bf9ca599ed08c01e8eb398 |
| SHA256 | e33726b8f577250325cc211671fa4ab6e968da668d6b37fe412bba2b025d2355 |
| SHA512 | e515a71d3ff443effbed5162b6b4aae918ea352293a52cf4a6fdf3ba9c4c0cdbaa7f1206146f4118067db6f2737169dc12d9fa820ae86b8a36acaca96005cb49 |
C:\Users\Admin\AppData\Local\Temp\rWYQAMEY.bat
| MD5 | d097d1b38d1ca8a60bc265773d9c3760 |
| SHA1 | 8eaa1e0cc6ed26d2faf8b6d9fdedc23efa524ad4 |
| SHA256 | 89f7ff1fec226b871cdbd00476c8b382d5223fb8a5051dc2afd2eb6bd8de6108 |
| SHA512 | 7137c25ade35a21141a33ca87872dfd15fb6269904722dfe0808b4248ee36a526d96499f4db93e36560c9dec12acb85018abe68faac4ea8f9e93eb11ad79d4ac |
C:\Users\Admin\AppData\Local\Temp\qokAwkoM.bat
| MD5 | 5e8fc13736682c873ba4bc4a6e7eb570 |
| SHA1 | da5912bc54a8545170263e4cf43dda9839fb9b65 |
| SHA256 | e777cd954b2fbf51b76ca7359f7d87f0292439584b857b9a8a7a65b57c4c638d |
| SHA512 | 2602262dfe444898f341542c3fbdcab0b4667fe37d38c7d84eb48409791ffc0b65aba62b9efde31ef896e5098934c2422094016cc17882e98984ad6e74a713b0 |
C:\Users\Admin\AppData\Local\Temp\yCwUoMgg.bat
| MD5 | aa97edddcaa4a479e3ee785e85ab5769 |
| SHA1 | cd8cd6527b661030c6f3a31fc8e65ff75655a2b4 |
| SHA256 | 950a77d0e8899aaa82aabbea4d04ab0db05170c9309bcd3196f69cb8b8ef9a92 |
| SHA512 | 58c5108b8fc4858e6067ee737acce7178e89d6dd16540a107271d852dadfa87ff9c0f1389d32b8a934eb43112b402eb84ae2bca893333ac33d8e3f0decd92fa0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-20 16:54
Reported
2024-10-20 16:57
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (78) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\iSMQUskw\jwkoUgMM.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\iSMQUskw\jwkoUgMM.exe | N/A |
| N/A | N/A | C:\ProgramData\CosIIEMs\JGQUEcAk.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jwkoUgMM.exe = "C:\\Users\\Admin\\iSMQUskw\\jwkoUgMM.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JGQUEcAk.exe = "C:\\ProgramData\\CosIIEMs\\JGQUEcAk.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jwkoUgMM.exe = "C:\\Users\\Admin\\iSMQUskw\\jwkoUgMM.exe" | C:\Users\Admin\iSMQUskw\jwkoUgMM.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JGQUEcAk.exe = "C:\\ProgramData\\CosIIEMs\\JGQUEcAk.exe" | C:\ProgramData\CosIIEMs\JGQUEcAk.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\iSMQUskw\jwkoUgMM.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\iSMQUskw\jwkoUgMM.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe"
C:\Users\Admin\iSMQUskw\jwkoUgMM.exe
"C:\Users\Admin\iSMQUskw\jwkoUgMM.exe"
C:\ProgramData\CosIIEMs\JGQUEcAk.exe
"C:\ProgramData\CosIIEMs\JGQUEcAk.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwgIAsoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYMwgYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQsAAcIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQIwcQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKgIMoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wycEEwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veQMEkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWEkEwUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwgQIowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkMIAIUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyUUMcQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkogsYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoMkgUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISoQscsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcosoYUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiQIIcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEQEccQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rakYYEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQUQkkcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOIoAQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAwAsQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gekosckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwEskoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tssUAQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkkAoIgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmwkMEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AscwIcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOogYAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEEsUAks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOAYIwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAYwMQUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEgswggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGIsIocc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSQEQUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCoAssYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsokgkME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaIsMkgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nucsEUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmEYYYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQIYQMso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCQoQEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAkcEkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwgsYcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REYUwQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deksQEQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQQQkgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKEIAkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gggAcQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUkAMgkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygEUwUEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emEgoAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAgsoIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSgIwQQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuwYYYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuQgwQYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QowIkQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omsAgoIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swIoAcck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAoswEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGMIsccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUoAUsMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIcEAMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEsMAUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMMQsMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIwEYkYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEgcUcAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcYMkQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUoAsYkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAEUwwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSEEIAEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyEEMYAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUwcAMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMgIAcgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWwUYkcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmsUgUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgAIwgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQIYYgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwEAUYsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQAkYIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKYYMIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYQQEIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIAsIgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeUYcUIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKEcAwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwAgIocw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiEQQMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcMcAMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQEcwIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWIosgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MisIQcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWIkAckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMoIMQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiEUgwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQIMMcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCsIUMks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgAcgYIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiMYgocs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewIwswkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSIQoEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqoscgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 216.58.204.78:80 | google.com | tcp |
| GB | 216.58.204.78:80 | google.com | tcp |
| US | 8.8.8.8:53 | 78.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4608-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\iSMQUskw\jwkoUgMM.exe
| MD5 | 6c6ea805f10dcd86621d212127d4f58a |
| SHA1 | d24d53bc3c5bd53ec2bb2d728ed6eed841e2d422 |
| SHA256 | 6b903481e238897f51c99429b7f6120759b8c2aacbb913693818285ec18c48ae |
| SHA512 | 494592d7e0db5fa7afc910b4c1afdd3f0be5d1848a5aaf92cf7e3c813a1a82ff14d2da1a671547cb67d79d1d82cab22fa054952a9ea3e363b86e25647264e04d |
C:\ProgramData\CosIIEMs\JGQUEcAk.exe
| MD5 | 4173e2834c5a9216cf7f7bd62d5aa6d1 |
| SHA1 | 3944fa5f95d6271846dc82e077eeb40269540917 |
| SHA256 | 840cc77f6210359e377cd22387fae0e821e4e691094d41fcedd829ba85db5de5 |
| SHA512 | 39764284c00ce6f298c6eab156936413b033c1ad29b86ac6dea5017a91faf643d363b69204d1eb4deb6cbbd29cd2e6d59150885daeca0d95b0e7b3739f5b6ef7 |
memory/2132-12-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4756-15-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4608-19-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jwgIAsoc.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
| MD5 | 5861d4e6983be2b92122bcfb7d239eb5 |
| SHA1 | 892a1af54e23a9960f63eae6369c526ef325b77c |
| SHA256 | b3de971f88cdd8219cd9bf4a1212107b4052f468caac1f196d756ddf095acb48 |
| SHA512 | af3ce9a9c4a7be34e1d75bd9e25b483cfadc18e50cdb3229c5bc70bf965f6c478a707711154066c446f84ae5b6216917dd34935ee69772c305a00bc6d5040178 |
memory/2744-30-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3960-41-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4932-52-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3124-63-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2200-74-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3408-85-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4728-93-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2524-97-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4728-108-0x0000000000400000-0x000000000042B000-memory.dmp
memory/820-119-0x0000000000400000-0x000000000042B000-memory.dmp
memory/956-130-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2696-141-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3908-152-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2124-163-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3236-174-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1284-185-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2816-196-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2384-207-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3044-218-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1900-229-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1268-240-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4136-248-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1416-256-0x0000000000400000-0x000000000042B000-memory.dmp
memory/924-264-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3596-272-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4852-280-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3636-288-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2016-296-0x0000000000400000-0x000000000042B000-memory.dmp
memory/968-304-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3632-312-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3964-313-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3964-321-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4808-329-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1444-337-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2036-345-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3516-350-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1736-354-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3516-362-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4776-370-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4364-378-0x0000000000400000-0x000000000042B000-memory.dmp
memory/816-386-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4472-394-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5028-402-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2592-410-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3124-418-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2824-426-0x0000000000400000-0x000000000042B000-memory.dmp
memory/824-434-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2044-442-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2036-447-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2000-451-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2036-459-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3668-460-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3668-468-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4136-476-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1668-484-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4516-492-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2876-493-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4516-501-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4744-502-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ycIc.exe
| MD5 | a8e5e46f5c45f713e4cd9e93d13fd10b |
| SHA1 | 9085eeb2bb7de25b22ba2be1cf6a1c0dab6ce7f1 |
| SHA256 | bc2037d639af62aec4d46ea296fd516e7b14f95061f4f3ea6ca2f68731a74612 |
| SHA512 | bac186bf7d4cc421ed4287d39aff07b4cf1ad3d58e34db1fca14b18fa18de6282c0e67744feb7b5e357f5ef46a43b2c76482542b007923560277b079e64dcc66 |
memory/4744-525-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wIMM.exe
| MD5 | 4348b6495c7910c2431ab26cbf7e7e02 |
| SHA1 | f2a8f86e0d7dc23977c4ca999e54eeb921e1ca03 |
| SHA256 | ed831fd2b95dc0b2d145b0b10a70bed5c9bfd4370ee24f8988f1178b8d919d3a |
| SHA512 | d0c221c4e92994bb9a48590c5e4fa6c2ab9139f315febdb307d9abe3f714cff5f7189ec1ac1cf59b9d04594dc7ae1c2d0fb9a2b8a8e40c593f100b854671c961 |
C:\Users\Admin\AppData\Local\Temp\AQYa.exe
| MD5 | 60221fe42d3f17e6bce9ea3ec04b78b4 |
| SHA1 | e2690919f75b62b82efe00350fbfa9730595fd64 |
| SHA256 | 3a61a7069b67032c819a30e3121c536e0eae5f6b5f74dca17866952ecbdb6ad2 |
| SHA512 | d18380eb0cc48d69eda7683d6b38f77316c2b610f59b7c3f7305ea51d0ea1d0b6aa8a36b299560082d1fe351e0e6883e1467d2d1eecfd4384423ce713ffed6f0 |
C:\Users\Admin\AppData\Local\Temp\WsgS.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\gooS.exe
| MD5 | 714ebae82db851949050d900b9e443bc |
| SHA1 | 321d7c561bce834dd9f66b4558a3e13a790dd0a4 |
| SHA256 | e0bc70241d3970b6e129fed92e15cc471c108857d4a5d845f27e7c218068c47f |
| SHA512 | fa79a2ca95bb247249eca17c1a8fdb7dbc2ddf042ab658588a7fa95f4226b6669ab0ce673461db7e4d5b751c0b58b532a0f847f05d49fe4775c6ab717cfccea9 |
memory/4008-574-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3104-589-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eEkQ.exe
| MD5 | 87709f360f7cf60554035b4333a4a3f7 |
| SHA1 | 21a4b6499b602a41a3904bb8ad3b7d54ec0c21e1 |
| SHA256 | 8374640594e04e2ab35f3ebe5cc6839b7bdff96b7753869e1cbc107ad11a6bfc |
| SHA512 | cd0ef9250f6bb2ba5a52ebc9ddc734fb9c51c47ab0292956680cfdcf2206ceffc1b3b1c7f4d33b3ab87199c0db6cdd9dcbeb3c1eca76d1bd9240c8e7a3e482c9 |
C:\Users\Admin\AppData\Local\Temp\oYMu.exe
| MD5 | 87187f1a2346496438f6d0899b5524dc |
| SHA1 | eeade7708aaa95f2cddff38a480c3a5c317af542 |
| SHA256 | 1e8bccf830b822ba6a489771403c84519cd18e3ea6480cfe594efcf4a7673307 |
| SHA512 | b1c6741e472e11fafa026de088094b22a2c70f7a8e33c2ae0ab81fbc4844aa3a5c824f8f5f8b61b3158719b11eb971e89001904224c8404f2630c62a0c4600d9 |
C:\Users\Admin\AppData\Local\Temp\MQAc.exe
| MD5 | d295c50a07c2df95096ca261ab0ea97a |
| SHA1 | 04b50c7700f543173a0815c9d6752b1e96b9e08c |
| SHA256 | db2c9c1fcf5a635de2c40dec4867067c4a5d993f6196f69bc0e282b3d57e0413 |
| SHA512 | 76531306dbce6855ccffa6eb6d7bbec03563c12538be6f3c99e8b5ce5fa06e2cc72562371e1200d8517fa2271713eb53817ab7f906f565f3bbf589d17ceaec52 |
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
| MD5 | 28491651a1e7a6067ecdc773838765d8 |
| SHA1 | fc29fee7937e719c49f8c82e4001e157f0cc1da1 |
| SHA256 | 723b56a0cf1c1c4da94dfeec747ee725c74ee49d3ed1f397d4492f6c6257fe10 |
| SHA512 | a3243f3c514918871c97a92a40fb83d0c0bb3f1cda4dfd539353fdd15fa323681e291c846201c6b4b1759ce5d45d1b4ae2b0839af9f0fed7186ed7901e0f4bb7 |
C:\Users\Admin\AppData\Local\Temp\YgUY.exe
| MD5 | 99b77f33bffffc637f8c3971bdf60331 |
| SHA1 | 5b42449756cf3c68b81969ef2dff39a604799a5f |
| SHA256 | 701fd8f68eb0ae587324ac4240227f05de9558ad6cf18eb29b2fa8f9b037daa5 |
| SHA512 | 84409f376b2bca8e3bc945552b3158b6022da40cbbb67bde6e73129df5d4f902b3933c273d321ea936a3a88dfacd61390a5b3385580a7c39bbd54750bd1d8762 |
memory/3104-653-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qkIM.exe
| MD5 | 41aa2b3b856e9f861a3fd50e17c9b534 |
| SHA1 | a2c263c63996bd80dcf6e66fcc0fc1c18e37deea |
| SHA256 | 17b4fc89066e334ddf21af7ceb7a0d370d82e29bf5b2c627a3fc8b3e20580015 |
| SHA512 | 85b309e4269cb9233c3d51620cb2426ad0f4a3c57bb53eceb32f9693372ef212ea8570d2414afc8ed7c29c7479f8bc3699ac24fc4c38271e9b7016cc4262914d |
C:\Users\Admin\AppData\Local\Temp\sMci.exe
| MD5 | f41bd051db023cfe5205a716c8850f04 |
| SHA1 | c2be8c1256b293c97ee128121694f6a28f148a49 |
| SHA256 | c7b80fa7ae34f3ce99fd0f43cb076f286a6a4f84b1cc2d8f2c5d512c961594ad |
| SHA512 | 7e38f86d519c8dcd4bc62a4d5ad08da6d0a732015ac0437dd5f5415450d7d1588f47094a7555381310c02c62e633e39a2d2cf9ddff33cf292da4c85472f0d52a |
C:\Users\Admin\AppData\Local\Temp\qUse.exe
| MD5 | 2d4f863c7b05648ad37ee24a3060a004 |
| SHA1 | 5378f446b2563fb02a007ca69ff34a7033ad6280 |
| SHA256 | 10293bc3454682149ad3c7b34b410b1932529a115aeb8dea0fb7d9a888aa114b |
| SHA512 | 72efa01a14ac63c26bccc3b108731e3eaf383a7c6fe06559d311342ac9cab8ff76218d7176f8967206ce85f78533a0b3d6a31ac7136294be565468ca70ca4b59 |
C:\Users\Admin\AppData\Local\Temp\UUcg.exe
| MD5 | e77d7a54499b76e31d9e2f692e8aecce |
| SHA1 | 0ac0e4ca184f734adc3229e540fb75dc48e4763c |
| SHA256 | bb1b1588a553527531c5edbd4f09832ebd404d646108a7577adda56358df73b2 |
| SHA512 | 4d8752eee3817eb4108042affa5489e99d976456c46bae6608b12c398b2da24245b192d2a638133e727e943b7e90789640c0875d53d9f13a267b35cf86230c4f |
memory/3708-717-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EUso.exe
| MD5 | e3fe7e181b8a6509dba21def31035750 |
| SHA1 | d8cc5837ec643aa9f45474c0865c7fe5a53e7487 |
| SHA256 | 77d1673d271dd5260f17281f584eadb0f7b1fa84b66a1fa2890be8c9da365793 |
| SHA512 | 1167f2f39128e91987035806357b4473c08594cb3b2bd02754fa49079decf13617c7a09020f302a824ea07368caee8cf8ab07fab3481c6eb7c72a1905fbbe181 |
C:\Users\Admin\AppData\Local\Temp\msAY.exe
| MD5 | 0f40b75d348696d6722e2c9e83e75d5b |
| SHA1 | a8ec862920f832989bd9e48d48162c061433c4b5 |
| SHA256 | 17307362fb12825f8f8ed5aa65d57c567180f92ef626cf17e4ada328e7051a3b |
| SHA512 | 85ee350e367de3c390720c51ec880796ea1ecb10ddfc3f410c8afbfbcab428a39c3e43e28308ca4d5f8229f990123b99a1ac675c99b840ff1d66d4626f43cea5 |
C:\Users\Admin\AppData\Local\Temp\Akwa.exe
| MD5 | de80871d6639d9b82afe223436c4bd7e |
| SHA1 | d59223a6c6167a8907f0d2537a1743605fa16ef6 |
| SHA256 | 91ba867a0636a1019875d5ea078d9fb2a1ec4e3312bff60327e0f892f2769bfe |
| SHA512 | 01b522c2a3b24dc4e2cee044387bbabc4b0d985167e8476f807de3064cc0c519965b85078b97a8c100252296d5d204f2c8498e6605ad3f7fadccbf2c69cc3d28 |
memory/3632-768-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kAkW.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\woMM.exe
| MD5 | 2e0dd107d221c56f5fac64d8c8fe5969 |
| SHA1 | 39cf7d8a25691349dcafb13d158fc06b7b5c639b |
| SHA256 | 635dc31be26f0aabd7934c5c73549e56295e0e996b198f14bea3ff559ebc7a65 |
| SHA512 | d3c89220953a576e08295576a49767c233754311ae83255e9a5e60c7e9c74bfb995c40d84915091c03801a0e2fabb05243cf24050af9cbde6086ce5bd4574596 |
C:\Users\Admin\AppData\Local\Temp\ScEi.exe
| MD5 | ef1b7e61a661c1311e884732c0dd033d |
| SHA1 | e039a51af9c778c9c3469295393e78a1e740573c |
| SHA256 | 3b31f3b4574f627789a2b2e4f9a4dd000d137f478d71fcba9998b9f91974f0ec |
| SHA512 | a4bf3d53ca11cafb510de0987af36a3dd1d970d6bf9d5b3025bc3973aed0b582caddbdacfc7a07815d521694b0dbb496e1265a36e9d2547bd913b3b3bbcc557a |
C:\Users\Admin\AppData\Local\Temp\sIsU.exe
| MD5 | a45ba9e6952038c6add9e9363ee0d4f8 |
| SHA1 | 2a675287ee2d9486a28513767438eaea78796b30 |
| SHA256 | 5b0733068803e35903f8d167aabc4dca8aa6e7978b44f7a4b4b1a67f9b5dfa5d |
| SHA512 | 2d12eaefee7523dde2ba47ab7556e6fd721408b56e4d6132e816fe34a0cb2a171a55af391123843c7d7c4a608dd8d2b6ee14c74a7bf2693d77096dd0aaf35d1d |
C:\Users\Admin\AppData\Local\Temp\Gkso.exe
| MD5 | 28efebfe530a3b02615972cfcb14554e |
| SHA1 | 5e806f765ec01bd38ae01d76cb2a1105a4fe1d2c |
| SHA256 | 7024c0b841947b7d1fabe98bbb7a3c91bdde2844ded57dc8804aff75eda60c76 |
| SHA512 | 57ab55e0f4ffe2e8e590d4e9b1d2a999e7eaddabc6ea2baba48ff69635c8bf6f7c08339b48aff58ca55ce743b729ef91f55a4942153cc259f53bd9226f5185a9 |
memory/4808-831-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CcwA.exe
| MD5 | 8d6440a51951604f1d6a2b27ccf7c80e |
| SHA1 | a8b6d9c51899630ca2df11132173c1d3313f0564 |
| SHA256 | c9cceee0978c9be291e25e27517ca52a9f537cfac240c14c5cedd3c74096b9af |
| SHA512 | e6081fbaf18e0231fe2dae650374cc28e2afc1478ac2b1f573da09dcd52537b8ae2502ec696f368b140ac9d3faee8f1ed3f1c154ebe614d179567f934a43533f |
C:\Users\Admin\AppData\Local\Temp\wAsy.exe
| MD5 | 54967c1bff045189f5d777af9087420b |
| SHA1 | f6d06117204d017efe2fdd6e8a4b644514dc1b32 |
| SHA256 | 0d9236bbc21337145f9f992f8f98be5715a40f04a78e2bdc303615b5b39cf445 |
| SHA512 | 1683a7fa8684222b5b067c3fb400bae4d62a0cdb98affce133be81ce68856405df458fee91ab3117e2551287e5c892042e4224581c556d13bcf8da9a72c34542 |
C:\Users\Admin\AppData\Local\Temp\WAgm.exe
| MD5 | c697f0ac8d7a52c577bab0be7d3efd51 |
| SHA1 | df1ca580ca4bd3e9dc328f6b25079ca131379e2b |
| SHA256 | 21f9c47f604b66d3a859940e2489b0cda0622172e66ce42716b21ee48765e572 |
| SHA512 | 1b679e9f4f32f46ad8a98faabed9d07337a0f5dabbf36a15ef77889ac5600b5bf15318a909cd63fc05e3091877366c2984a73800d97540b36ac4e6aa3ce8f783 |
memory/2016-895-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AEAW.exe
| MD5 | 56c181c44706d8dd97ca3a6a65a6c896 |
| SHA1 | 2a5935d1ddfba98ea1c763be756bd7782797cc6d |
| SHA256 | c1622752a566ab5cf150c523cb23973bd3d95ef4264180b04df80566133eaff7 |
| SHA512 | a735b5e649f1701d04395cb0dac53051f78bb8675303f9e655c225cb1c1bac11b82ea4897f6bd8d388b8a8590c0b0d394a72b6e07b9dee3423f83b43da06fad2 |
C:\Users\Admin\AppData\Local\Temp\sIMu.exe
| MD5 | fcaaa54eda036cd3f1ce3b282a038a1f |
| SHA1 | 5ad922f9c43c07463300e30780471e6bb32a6522 |
| SHA256 | db2437035f9b3a77a3bc6b58e5605bcdc41c8ad1a9b6846e692ccb33ed63b1e3 |
| SHA512 | 3d5c601182d117dbe1451ef0bcf8d85087bcb9f40e34e77ed42dfa44b7becbbcc2c5ec17840ec28a489960973de025062e0e8653a3a43fedf0c459897802fd6f |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe
| MD5 | be58dd9e0d98823f266302378cab0d41 |
| SHA1 | de03c814c1d91268ea8305b19d48a054f1d869ad |
| SHA256 | bdeb903c13d9a070dd9abef67a411c139db9710dc09aaaa42c0f1bfb675c2f80 |
| SHA512 | e01a272839f5101ed5a8bcc4338f612fa3c759c9146068d0ac36034f24b9acc7c27fd1206492ef363b14c387fd062ec3c970ae398b32f269357e7b9306fdf90f |
memory/1508-931-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\isEk.exe
| MD5 | 9cc20693bb03f431b0817547aaf5345e |
| SHA1 | 8551178820125a519824b31b82f1a645ce3866aa |
| SHA256 | 421d4da7691989428225c697eafecfbb5e05856a22fe5a0ca5118b21a047c4c7 |
| SHA512 | 69695eb992af0ecfbb9b1def92d4eec4f5a06b37fe9f75c497b74ca55c2881724a56b3d79a381f0ad38fb0897f3405903b58c5b144bc7588d6f27ea655dc05c4 |
C:\Users\Admin\AppData\Local\Temp\WoIw.exe
| MD5 | 608d3b0a2aa997778baeb4d2b1b81b83 |
| SHA1 | 8f729efe3d75772487bda1767f691f740036bdf4 |
| SHA256 | e2b8b3c58b94aa9fd20ca01eab27cdce222686f1970a9b4790e0e93846bc3605 |
| SHA512 | d71ddd41f7ca9c8ef7b572595b2e7ecff361d215cbfcf2c0cf2746152c71c2cedea3b9d911224e2165262de745190a5c7a7dd85f6d211966de74bfc4781d8736 |
C:\Users\Admin\AppData\Local\Temp\KkwI.exe
| MD5 | fa0e56b8443dc463a194a95c397b8707 |
| SHA1 | b4486f86b74841984f0b706e769e1f0d7dd803bb |
| SHA256 | 570d2a2732bcd3e2bc1a192ed617fe203e0ac873feff06d69f8008fc3b0b6e5d |
| SHA512 | 34f5e668b4f7976bb0615a44a837085dc73edf8e451ee728048f862889446a03d4c4113c98196df2d6c9b610c65635bd172a5ad6daa3dd14ca656557ba797111 |
C:\Users\Admin\AppData\Local\Temp\yokW.exe
| MD5 | 1b13c0c1103516ed685abbe53273d7dd |
| SHA1 | d970541992c34b2c79653ebf9b605f325b251191 |
| SHA256 | 9e8296effe70f53f835038ef39856d60d6af9a5a551d0416faea23a95d46c9e5 |
| SHA512 | 37c7b5c9a89b525c0b5eb3a9a56b8ff9bea3b16e1c1e0f3dc918bcc5023e03ffd7324288618a5c8f6c40f5d0d5b59a24f130f552a77ae1ef93cfabaf742c0fc9 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
| MD5 | c8888efab6956da8cbeffba4d9bcc4a5 |
| SHA1 | 743b1c6ec715d65cbe587259cf673de82970f396 |
| SHA256 | 263098d2ccdae333133bfcbba7c39f862e0b04e37f9b38f696edec3d9686b113 |
| SHA512 | 6b77c146fd113d9dc034fab3ce2cf9337a00c5f16034c50f492437c11e6722c36b3a3578be52a69ae7169eb6a38bfc7cc3aee581310eb934c7e85d47d6559563 |
C:\Users\Admin\AppData\Local\Temp\WsQc.exe
| MD5 | f8fa980504d6a606c1fae6f2117e6e2e |
| SHA1 | b20d2945461d790de6de58cbd7199cdb66dd2e11 |
| SHA256 | 3587f1471be10dd5942920dc9c500f811aefc6578dac9d57668ee25df810e108 |
| SHA512 | 1db6feeb8e709ba597e13cf2d62bb74426e3f7fe1589b987f77c41393789b6dfc8538ab9e1af918fe5ba0ab11fee8e0dcd689f218f8551f8482a5f5877eb81b6 |
memory/3596-1023-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iwEI.exe
| MD5 | ada3aaeec18eaa9c413cbd0e88e90524 |
| SHA1 | 922b68fc1aecf7015e651769c8971dc9ae881189 |
| SHA256 | dbf2fe2c4bf7be641652cc872415e48d690d286e852bdd637e1ee89c56bd1df3 |
| SHA512 | 8a789f4c74852fcb85f0e639390f03ed136b6f6b0a9b8e2cdb15b97cb30b4729038ede946e4711de6a2d931a9bca0bf333d5540eb790ac91c33be163990ba4b0 |
memory/1048-1038-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Okgy.exe
| MD5 | 4bcc48bddfcbab94c5e34c6c74b689c4 |
| SHA1 | ad051c95ce0c5f0113a0aa81bfaa529bb8c77e0c |
| SHA256 | 709a43c283b5ebc36431dfd72960d0ee017cac2e1cd61f7871613a3cfc26cb8b |
| SHA512 | 870d141a7f9e5c99e8624978d3ec126b29ce166fa8b2a9e513bc481119ea2a316f2a6121fba71ded487f438215c4aa48344c6b33f0c49601ce9ad54c3fa21952 |
C:\Users\Admin\AppData\Local\Temp\soYE.exe
| MD5 | ab780cd3b52f5a16b3552cad5812e0c5 |
| SHA1 | 973b2a6b2c609cdb24df5c33b30b2b2b431789e4 |
| SHA256 | 6be2c0c5aae194a1827a5f0459089d1c4425123cd8c9a03c4ca83c4cc888c47f |
| SHA512 | 788fdd0e1205d01f7efed03c5a439af4e86ff83199f85bb0901a169c04282d6731ddd2b1c963a3b3d2d009738bd5d16ce5c6e09702e50d57c484c88121170ecf |
memory/1048-1086-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SUEO.exe
| MD5 | bcfa770aa2f3e1948ecacfa91a4b1245 |
| SHA1 | f57c16cdab80e95393ddb16e721b0a9745aff97e |
| SHA256 | 1dd010491385044a497c43df688b8158b5e094e055a430cd0ddbe12957739042 |
| SHA512 | 71f2007f4dadd98687e50347a99938d31378b4c838627ab38cf5643b738d49fca10b63b1e8d14fade3619d9886ddaa531523c24ed24a76f90720b59b2d0e950e |
C:\Users\Admin\AppData\Local\Temp\qssA.exe
| MD5 | c1cb41c4fe5e550b27a9a2863f9f7944 |
| SHA1 | a83876b05e805b2fdb080133156e166237153908 |
| SHA256 | 7ba9da3a464ae9737e159d6cd7c4d8fb3ade5c89703b13c8974cf08b9ad4b4f8 |
| SHA512 | eceee1318c786360f1fcce065f08a5be427a4f16c9bb2f9df08f0cee379317e0c6d696d8b934aec72af8621f05b495c01d2e7c0ed8cb9353634c0ba51e701abf |
C:\Users\Admin\AppData\Local\Temp\kcEE.exe
| MD5 | fd2fc5a125837289c148241dc7e43714 |
| SHA1 | ace538216e158c07bbc805590da0e6f2a4a4eb92 |
| SHA256 | 9ee790eb1466e4e0c64a8c93abb09cde5d92983144177c12c95bd86b8656ff18 |
| SHA512 | 770df64b8080111c13ce928f035b9c032ee2d6605ccd595d293d0707c72912b34fb83c0ee1966684b1aab79a1419a7b77f49c47f7bc99669a143edd95d8d294b |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe
| MD5 | 3866e9eea6a4cbab35a117e5115cb504 |
| SHA1 | f357b49f615bbce290c32891f1d6169df9965360 |
| SHA256 | 51eb5a5fdd83b15fe4cdfe4948b65cb03e31ca9673ce627f13144e4ea9a9b761 |
| SHA512 | 13f198538c60fc844079c718cf88258396a59e193e918833e731d9d20bb87f39424f22a29802ec54b20d0a23320039f48aa6d572545a017bfc43c92b2fd05751 |
C:\Users\Admin\AppData\Local\Temp\IQse.exe
| MD5 | 83706d14eaa50255a3d37ccda0c6829e |
| SHA1 | 4fc53144ab63d26556fb1179acf0acd8ad0b1bdc |
| SHA256 | 518cf488cde7d739241dc1c99fa79d724d53865656e3ef5182f7a0f82177920a |
| SHA512 | 0a0aa0e59bc8659a0da524d4bfa258c915c91f9ce6f7b2eea29e725da639bcc95455df51e953ace8987707327f5bab79d388497aefd0d4c162f0138951949ba3 |
memory/5104-1149-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1648-1153-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eIsW.exe
| MD5 | 02b43391a7c1248eb50fc7fc611a7eb5 |
| SHA1 | 64c316dea751c5d6d4c7b67c3c353b2a16d891ed |
| SHA256 | 57a0ce38291e4efa7d78ade603a386f57698d3680a85d79531df3cd7cb2517fc |
| SHA512 | 55c2a7e31d91b5f6d3e0b9559704732940a82850c5411be76a4ff5028a577e0ecb1a4c0d7a54e559d35eaec17c5e70de09024fcc948bcf761eae0ba67e55e895 |
C:\Users\Admin\AppData\Local\Temp\mIkq.exe
| MD5 | 420f104ea4a06d6bb0fccca34a7ba518 |
| SHA1 | 0fdd68493731b2b9e5e049ad517116b3baa5041a |
| SHA256 | a65430e1b04efa51ed441de7dcf934758785c20451f18574972679464ce019bb |
| SHA512 | 77237bc80162c32cb39a753e848796610aeb7988d0af77fa6de982f5edbe4f3ba6354d1e72f387f5453c301b87fd49f6c0c177a34f87f2ed7289b3e6fac1331f |
C:\Users\Admin\AppData\Local\Temp\eYEC.exe
| MD5 | 8527615f1f61cb54d879706b4f88f00f |
| SHA1 | b7630daae5e974313075d3112281139b5f1f62c7 |
| SHA256 | 45ca6dcbf5fb9c79b3f50e760c74e813af130d5ae6bd30107b1ff9f4a71c2224 |
| SHA512 | 98db65b196f31b2583ca88ee772ac66ca9686108aa891776eadafd0dc0541844df25eab0bb5d3eb89a08ce9f0fa47acc6abe61305b50281d03a580042dd2bade |
memory/5104-1207-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qkEg.exe
| MD5 | 8dbdb004e9f0824d999c0fb7f79eb923 |
| SHA1 | da5884026c0970ef606676f0864d1320db306d78 |
| SHA256 | afc071c81d1248c84ce63158df02b39f9b836b8f0ddbca1f57f97545e46e4bf0 |
| SHA512 | 70d5321523ebb7b874757eeae983b60e02e8f049e563e24739c95e901447bc4ed3753b5222b33690d732e7c5a838817e6227b4e75c7eb0878c625708c7b1bd0d |
C:\Users\Admin\AppData\Local\Temp\uAcM.exe
| MD5 | d95fe84e181d1aa3274d0493da1ce7ce |
| SHA1 | 08f829d99dfaa047d7dae80d0178698b0ddf1ad6 |
| SHA256 | 4fa46b97fe5a262acb1995ee246bcb8235c2e707af3e016302423e2437a86209 |
| SHA512 | 3885f8726b91dba10bbf4de6cecb6ede6d527d920d93ed737d28288a3a12bde69d8983152e8833661696c09724a778c24b8260a304b6daebf154fae5ee55ce0b |
C:\Users\Admin\AppData\Local\Temp\Yssc.exe
| MD5 | 5c49c3d27f59b25108bc81a313d33d4c |
| SHA1 | e36ae97abaa68ee8fdaaf76da3fe78bbacf7bd12 |
| SHA256 | 17230b9899831c514701b43f24db9cbf7c4330575a73d8036e8a9746a62002f8 |
| SHA512 | 97adaf6a51bb8ec14ec24ce9c2207a0ef4dd726b560329d5a22e206cebbe43e499c199dcd981a16e445de746a9bf434615d5acbe9c2199bd3ad1f9877bd9ebdf |
C:\Users\Admin\AppData\Local\Temp\aUUm.exe
| MD5 | 3d43e5a172e5a394b400da38a0b9a5ea |
| SHA1 | 6a19b476da0792af83f2465f357fcfcbc7e86e14 |
| SHA256 | ea17e8cd96f0304be21801ea768fa8e500440fc6785edc12a2eb978ce526c73d |
| SHA512 | ce4894456f73528aae574c576a5353c416a8bf6e881c2fff5e0e3f1d41ef8a26608b2e22f4b48a8fa0a76b2601684d9c4cbb7c60f51ac4f1b6459bb75fbfe7fc |
C:\Users\Admin\AppData\Local\Temp\WMEE.exe
| MD5 | 9538332bf013344a5500453c6c963b28 |
| SHA1 | 591160279362ef2ba321d41bf6470b1842ed5e66 |
| SHA256 | a665b2d3b3ed5715dd17aa93cae43759c459b80dceadfbbc6ad4ee267f3bb0fc |
| SHA512 | 572362e7640690b5d6fe53017c108ed8a8c5300986c23d4d58ded1112321682e4a0ebf9a8f8d48509abbe54ea374c80025d1b76cc2c7231332521bef9f665402 |
memory/2220-1280-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kAUm.exe
| MD5 | 52e0557534d2ed84c32969341dba062d |
| SHA1 | 4a5c07317aa2ad9cd997433853e6b39e1c3e6e1e |
| SHA256 | e356a91b7a1c6337d7a06a3f8ef84fadefcf097f9663f2dd5239995fff2db348 |
| SHA512 | 66d96fe94e1ab3d03e8e4b1b5d50c496b1df870fc7e4e9411ebd0b861e41f181e7361f67825c8aa59bb414cb10ddad6655556ab2b5af3a149e8b92188ff2da97 |
C:\Users\Admin\AppData\Local\Temp\oIYU.exe
| MD5 | ba82cd1e687c4c5985c6b63f2a252ea8 |
| SHA1 | 6700377d22a16b146d8d8a34f5436ae471d31c3e |
| SHA256 | fc67fd330eaea8df7441e28391c26fc3554a92ebcfd7539b1d9f88b86b97bfb4 |
| SHA512 | 70bb7276492c718b219dcce4da987c25522155e62a3fbbe433101fe27fb31414fbbfec82cb66c8c5fd8d75604405e1a967d6b302e0b716d8883e3b5523649119 |
C:\Users\Admin\AppData\Local\Temp\EYUm.exe
| MD5 | 199ebb1fafe7532fd4da805cfae6bf89 |
| SHA1 | d0b9851a6d9702831e125c9e75ce3db51248585a |
| SHA256 | 173294d6836a121a6b131205984a87ba816cb964791f70c6dcb3fb474da483db |
| SHA512 | ebb57099e2606d6bf3a222fb97e22294ce03234bcbeeac5b9cc97662116ae8f54a33ad277c13a9730c636a0796fa26385a5187b57fd012b7e6055dd897568bda |
C:\Users\Admin\AppData\Local\Temp\AIYa.exe
| MD5 | 09517ca6c7825205d3aa7ef030841976 |
| SHA1 | 5c656b0ce8e369c618e97637b39f58fb892dd5cf |
| SHA256 | 659020c98dd796bd48342d4cfcfafd233bd541ac6be8a43fcd864194741a31e5 |
| SHA512 | b7f21fefd9fc5572d0edb873343cc8694a3ee51c841d8de563c08cf5a7f00ec4f46c52ed981bce08172b4c0ce54b3054642ec05a98c3685d99145392f6d614b2 |
memory/2404-1342-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QYIG.exe
| MD5 | 48e2c0e0d15ad8161b79cafbe1a4f728 |
| SHA1 | d6ed13e489da506e26227a8b323cad608591152f |
| SHA256 | 0e13be14140c2c5f4a25eced6b06d39695cf3ffc1a834b72c49d36e84813dfb7 |
| SHA512 | 07ed90b957d658e383875218c6f5d1f7ed90b07cd2d263c83fee445a6fdd8332b4a7c89190a7027ffd7d111cec31f07cb47202de998e70c54bd9887bf242c459 |
C:\Users\Admin\AppData\Local\Temp\qoAe.exe
| MD5 | 61b45cb6e8db9a630a9886c8b7844b57 |
| SHA1 | a250ba09be5c7ab8d5b3e6b84d5532513055e8a5 |
| SHA256 | 055d24f29a154c7fbc3d8ab0afb045aeb232922222f3012c02d30d109bc9b091 |
| SHA512 | c314e7c866ea74e557cf6a127d7edec65c40ed7e3549cf674380a0f824d95bfd090ad45511e61b2207abf3f7cb6508cab18718383a006900b6de911cab63a00f |
C:\Users\Admin\AppData\Local\Temp\KAEI.exe
| MD5 | bb429d7d64c4d1654dba065cc8c0cf2f |
| SHA1 | ebe02b918384fd9103c7313c7243ec9f5043856d |
| SHA256 | 58ce1442edbbc409748024894dd3f9315eccd3fe3aadf2221b22ab4162143abc |
| SHA512 | 54c15ee33f02dd03d38d584f319f36ea65799b6f04519849972a1281b645d0454ccd83970790880e6000a0d76d33302fcd985e0b41292d7608ab29817a48f2c0 |
C:\Users\Admin\AppData\Local\Temp\gAMq.exe
| MD5 | 475383b7abf67813d52fa5e93f3eeb36 |
| SHA1 | b385ab722b577b4a01e472ef8390893459b236cb |
| SHA256 | 9652374f51210ecce551942f5cea3d96f86ba239d356aa9f234176d0a8742487 |
| SHA512 | ef2cb5c815a2050ac6a715da276fd3a84e3de40723d71bf3c71f2bc236cd35b8f68ba26ef951f236a3c9c4058160db559296d2f24f98976d6bb15b5547ed1055 |
memory/3568-1405-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UIwo.exe
| MD5 | 43fb1178621ea6c8f877b57720aab9f0 |
| SHA1 | 8104c2b5b046cb17f7460732e5922779266b55f4 |
| SHA256 | a703fdd20718e679665eaf4004411356e02bce71ed1542cb63699f276829408e |
| SHA512 | a4fef112b56a5d34a4c8b5959e82dfaeeeffff51741c5b4d51c46344f218464385940c9ead125336a941042a430432892a0745b8a97e89ff75d366f79dc6a8cd |
C:\Users\Admin\AppData\Local\Temp\EkYe.exe
| MD5 | 7151403f62c5f2092a0acbd1d16822a6 |
| SHA1 | 88e142786dc4e35aebf97e94b39beb2b03f568ec |
| SHA256 | ce1a2f4c551d4ce317b9c468472a4fd7157525e8a9dae68e5ba80de80bfaf383 |
| SHA512 | 240498db2dea7e3272418dbd7bfe6229e126598890434d03f2e3a3dc177336dc6ff59cf3d9e1875af2bfcc84b4248694a4821ae093ced68dd71b8380e4e2061c |
C:\Users\Admin\AppData\Local\Temp\swYA.exe
| MD5 | 18d5e618d59a3940ea3c8f7c6ef4bf2f |
| SHA1 | beec18b7103e931da357fe30de079ab15586b157 |
| SHA256 | fb936c7156fe881afaacc0eb33e521d77e5ddc168d4b0c5d877edca1c59b8792 |
| SHA512 | 838d00974c3b8ff9b50484785a94c51affaab26f4018b1e7bf6c599e645f6d5c4f6cf971b8ad646154b07bbdd5ab422bda705d8e2eb896294b92d6b938e29aec |
C:\Users\Admin\AppData\Local\Temp\accc.exe
| MD5 | ab533f42c2a4118fcaff7aaa19a79bf5 |
| SHA1 | b8f6b013e4e6c39d0023df76939aa587a5f80168 |
| SHA256 | 0763ed778d93000b7530d903afc75daed9c80dee41b5d9270da1cd9a67357fca |
| SHA512 | 67cfeda3cbf41b709a0742ec8f7b2557fda2141519d732ba828ec9a50821383bca1e0d4fe16ee16617e4bf964f4c8da649ff3184e408c491ddcc64f5c54613a5 |
memory/1420-1470-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5004-1469-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mgYg.exe
| MD5 | efa3f4521c4b1f0a6cbbf7bc01debf8b |
| SHA1 | 363f99a3f35f685a0da978e7d3477501413eeb95 |
| SHA256 | e34e2a96a71e965d2d23fa90ff0ace399d59af833ccc3cb4ff27e6a079fd63a8 |
| SHA512 | c1764109503c177933fda1a72a0ac8dd3e37a836a57e14882af197dd64b23d5aba5b5e508e8888623b335751818b16c64e8f856e2045474a22257dd46da39e66 |
C:\Users\Admin\AppData\Local\Temp\QUIU.exe
| MD5 | 42f9bce1ba2ad651710776f52a2abe9b |
| SHA1 | 1ed9625899332db21c1c3fa309b56315f899253c |
| SHA256 | 5a3a8a6f828cc1d769e1bef685a2d75acabee827a3bf9f71241ab4b468aed1a5 |
| SHA512 | 1da69a691c86a2bf3ab981db0e44523aa57012e9fcbbc5b36742389a3930343fe1b9e2713a463b6e57bb7bfdebf01e0520cca3ac9859f2f7687fb9a26497d08e |
C:\Users\Admin\AppData\Local\Temp\qQQQ.exe
| MD5 | a049152537f5b7169e541c2a667c68fe |
| SHA1 | f375f796d72a6aa25195d3cb4b7797a5cd97eb2c |
| SHA256 | 90bd75f06f963bacc0239eb52f1c770f019b5fcedb7aa3fe7a9c34fb5c9ac90c |
| SHA512 | 3f48045ff4b45f0c00f16ae0764f63fb505e26932561bff732da825ca7c3bb01dbe850dd417ad7beb931369ad12c811c25ef0c26333c32c488b1397e2eb2a3ce |
C:\Users\Admin\AppData\Local\Temp\yoAQ.exe
| MD5 | b732c5e85b0f39819e869766efdf07d7 |
| SHA1 | 584911d3aed472f5b3f554247959dfdd2d5b6e55 |
| SHA256 | 863f22d62be62a7a355be3b4ca2e9e002ff27f9c822ef55775f47a683c74467f |
| SHA512 | 7f49c8a40defac18a998d6f33adb9a657e629de91649df25d42b4cb719d19d0b76f9bca939680714bc4324b39777e94e83a7f965879f13b0263c4104447b65be |
memory/5004-1534-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\woco.exe
| MD5 | 2272818ca410ae0c2374923c7028db5b |
| SHA1 | effd8abd798acb568e0662a948a0b8b3867ddde7 |
| SHA256 | 6068a4d028c71b382f9dbbf99420a5cedec3dfe2e5d00c89e7e2630c258c946d |
| SHA512 | 8a97511f7b71f0ca2762e4b42462d3e6624817830b36f3aa8e1545f87e183f39b2d0671c56fcaec2ae4c27016df215bb9fa6cd5a98882ad40df0462bbb65f179 |
C:\Users\Admin\AppData\Local\Temp\qogc.exe
| MD5 | 81a0047c5d41ae4f7a5edaedf5bb147d |
| SHA1 | aa66eae8f4d03aee8c18d83fc0c9affdd4c96649 |
| SHA256 | b1271a7001dac1bbda20fb790404c63bd98af0d4d7e2c11fd96fee64e3201aaf |
| SHA512 | a9f14f4cbf1f7682dbe6760d626b25e00c1b7f0b4e4feeb42795beae18e91cf8bf4b5e8cf324320d1ed4e11189ddd569f5f083abeee3a14fb4958b62d4b88031 |
C:\Users\Admin\AppData\Local\Temp\eoIG.exe
| MD5 | 69eb204a3723726add799220fb9cb964 |
| SHA1 | c8f50e576579c4374751571a87bf53eab007e56a |
| SHA256 | 7c3aa9fbc144df1b56b9d7b233e8f3f1ed56b942bc4e3693afec0d30fb5c99f7 |
| SHA512 | 1f7de18dba62d571dc397cd6c84e95d4fce659e2c2ef4cd47b3ec9226b5935c566ebd531099eac71612a6a14dde6986d9bc7da752c8da1b142603718475943f2 |
C:\Users\Admin\AppData\Local\Temp\yske.exe
| MD5 | dc5042781339300cd9fbf3453c0cb7fe |
| SHA1 | 914aad3938ca32da40f849ef26a3791454b550e6 |
| SHA256 | 452202c3141a71f5571e8e41f3f053001252b96e236615649b2731f04d7cc4fa |
| SHA512 | 60f3a41b1d76c52f34924251750b1d180cf8b9adfe545670ae0699f24cc239d934d8b2fe6eba6ca655299cd2749c1f2dc6f929d5db9a83f9ecbdd1e956621cea |
memory/2840-1596-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eUEk.exe
| MD5 | 571eccd6022d307cded59d8b53348975 |
| SHA1 | 3731c18ff29ebc8546e51a2c56e473433b055ddf |
| SHA256 | 36dce37e5c0292366fe27848f18b52ae2e0d39ce9a7a95461607731124028c53 |
| SHA512 | fba63c43520ec897b3668cc540ed4ddc3553c0367dcbb727270b6f114b32780a906fb9332cb36dd937335981dfe2a763bb19c029e617671601dd6403ec64d585 |
C:\Users\Admin\AppData\Local\Temp\IcoQ.exe
| MD5 | 621e524b059d187b8ca1e6c130c410c1 |
| SHA1 | dc1972d71ebcfc3a5165697dafa7f81eb2228c5f |
| SHA256 | 10fc53c235d0c630c0abf634309e8b40bdfa268b2aec2ac73e22e01cc34067c7 |
| SHA512 | 4b9270fdd88ca6ae391719dfbddfdc682e9c5771222244ce0b6ef510b2c9bba9c4d7310e8a4a088cec9c72536f07898c8dfb8df17293698f62287599a1e0c419 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe
| MD5 | f5d1d777c32c9de991fbdc6cd26b5bfc |
| SHA1 | 602280fdac05dd822a9d66fbb9dbd51417d1ce27 |
| SHA256 | cd4fef04d481b96221eec98f4e2fd59a952e526857f68f7940a9ba5e6b013564 |
| SHA512 | 48be1b98d219a6f4a301ecf5fe852c36eed2f6b3e4547730204702a2d7b7251aa58e053e1e4c68a874db22889a6c5362cbe5e5f9879a53d75be588b3c60a902f |
C:\Users\Admin\AppData\Local\Temp\IIcM.exe
| MD5 | 946e5a1d3dcd528a965b509c8db5d499 |
| SHA1 | 31257df1da2ae5a722aa801b7c4a63f3ee315f16 |
| SHA256 | f4a1ac6cdcb5161467b6c0a8af2e5841f25d6213dde4fc15e6498f3cf91dbdea |
| SHA512 | ceed2f03d7a0feafefe0b8ed7eb85751817ff7c14a1224e374fdb464a48519164bbdabe8031d8f41fa6bcfb5362ad154b05cbe4285277eda837cc862d04282ba |
C:\Users\Admin\AppData\Local\Temp\YcAq.exe
| MD5 | 1b64ed1a34211cae52e35a6c11de5f28 |
| SHA1 | 9a25ce071873c0f828df2c29ba02baff44c92af0 |
| SHA256 | 2f106de1429dfa160adc7ee9e808c6373ac028897aa4e8baa6163f2f641acd3f |
| SHA512 | 1d1da341d537340f400b4f21e5b298cbb9499756af62878dabb585caeee34764e281106755b24cc664cd6a5d3fd90bf1f198f3f6988ee7340cb7d37640faddcf |
memory/400-1679-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UIkI.exe
| MD5 | 6cc0e0c928f0053fe9fc1612a009ad5e |
| SHA1 | 45b945a8f0b880625052f469b739250e0150dc6d |
| SHA256 | 3f46a7cbe7d3048019dc061cdaf3e64d626eb14f174e43dde53bf7b26f90fc00 |
| SHA512 | 6092605022904ce69153d9545b185c97309fc0c8647d93533fa66f79382b5b91aa9213ae0077a7f64f3bbdb74a127dd07273b50c4d8fb0779fbd3af3f90ce477 |
memory/3108-1703-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ugMW.exe
| MD5 | 9133660d8eaef9b5f3a514368ab7c348 |
| SHA1 | 99f9b8f23740758bdfbc6954283c462ddc0cb290 |
| SHA256 | bdaf9642e5b0b6223e7816752e874a2d5fb521ec11178c1f7478a7522e5769a2 |
| SHA512 | fcd3c159915285ef446d0d81c32359100f7ae903e68f3835f258b64296b6440a31ff88e1b2981c73edab0177f339067be04f5f4018b00546b4963d4b263014f8 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
| MD5 | 978fb59749b26c848475fefa53262be1 |
| SHA1 | 812f18f658ce7081ba3d1ea183e327cc39da2893 |
| SHA256 | 1f0203e9bdf1884f70e5b0e2c3410dcd5dc69b044556b8286e13a29b1c0c7d40 |
| SHA512 | ef937ad876c83203321663c155e205c551782821653a9808cb0cabcf9136f91e5aa0c406dc1d9681051ff8f50ee95b5e269e5cd8a468e9a077e8ef33cbd3dbbc |
C:\Users\Admin\AppData\Local\Temp\mcwE.exe
| MD5 | 8f4a8974ba02487bd0cb31110b7a31e8 |
| SHA1 | b8b0a97b1c8f4ae81c9094f643ab49be91ee9f83 |
| SHA256 | ac77f2bf820f2b6485bdb84a5ec2b96bc0eb6d0b1f044b36052a6ca8b0689238 |
| SHA512 | 64b16a72ceccea15860f1bb3271cf4c8a886771c99c1f7b781a38bb38687ceb3ab645dcc3e7b1f96f177f7fc8ddff1bcb3a551257f68dc078e4efb44643dc551 |
memory/3108-1739-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Mwko.exe
| MD5 | 4ce95e773740511b3e489093f169fa60 |
| SHA1 | fa48403b6a80d0bcd3ee9643cd2b85a3d3ea8497 |
| SHA256 | 9286246057c20496d00c2eebf6d6963a3d506cb1bbdebc47b074483842c6b533 |
| SHA512 | 146349c73f9d1cc5512c81242ad6e6fc3d845aa3cfd4fdf5b4c2d1d7e471fe9d3a79066a6aa91d2ce536dec41bd0bfa2bc7705f744f261d119d70223262384ff |
C:\Users\Admin\AppData\Local\Temp\ioMQ.exe
| MD5 | c4cbfb9412462a4bef5b339a1f6129d6 |
| SHA1 | ec847ac5a2ebeea27595602674667675cefb8f65 |
| SHA256 | 98ca3aedbcefdd82ab2e2f5392d8f91648bf8ebe73a2dcce529c02041121492e |
| SHA512 | 22201dfeeb19ce755026ce3952dc4eadb41daa0ad42e279b43a9591afcad1616d2072601ebd9ef188810a3c704cba21d6e6c7678cc754ad0acb294641c3b1e20 |
C:\Users\Admin\AppData\Local\Temp\wQoY.exe
| MD5 | 66f92439854074db98b319441974afb0 |
| SHA1 | 85c73b2c22f56903fc251e5bbd6fa844d7232a48 |
| SHA256 | 4c884e128014be81fc21c6be492151dc759daa7b333189978f1c3af8bf1de2ae |
| SHA512 | 2c262adfac101d836fea3252883d4c167a8e18b24c974951d56cbe7eb09b44c15f9a8409224ab1b045dac0d0213ed58952e576a190a0bc3b65c01627cdf3910e |
memory/3988-1789-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wEIQ.exe
| MD5 | 021c8450caa9c2b32542d30ca3b3da8e |
| SHA1 | 0213cd04a4516f3985240f4d057ee53bfcb472cf |
| SHA256 | 65a08a675c758a71536748bd75341e81487bfe4bb1a49388376d27ca1939b411 |
| SHA512 | c5a00e7960d01ad80929e19b17dbb91b8b0296176cf4c13219eece7cc7715bba25adbfb674e9664cee958e6e1fbb7940e83acadf117746b8874290dd74f4cb1c |
C:\Users\Admin\AppData\Local\Temp\sMsm.exe
| MD5 | ea4b1d56c91fe07ede8c766a822be94a |
| SHA1 | 7fd19d1572a68b8d0e0ea4df82eae26bcd870492 |
| SHA256 | 746a460fe292cb55e4a9294a7ba59f6943cf09a9b1ccb6e7bfb79c8514f23a6a |
| SHA512 | 81ef1a9b2baf6a316838be59a9d9f8f85c164a0b4fc824c38890f2db2c78c68b9dc5e8b27b1dc66f4e8296c9c5098509f39fedd0d55c5b23a21bad8dcf0123d1 |
C:\Users\Admin\AppData\Local\Temp\uMgI.exe
| MD5 | 9b5fd4022d327a6523dd4d4506dea70e |
| SHA1 | 1ee15fc3b41898b5d3fa514540b0ff4e21f860c0 |
| SHA256 | 11aa314b632441d7fe02bc742f581434b9ac3e931a50d85aa8cefd1803be786b |
| SHA512 | 7ffedb188502b0eed1512491478735a9a09af4e5e463a62e28a2eac7012214d894b0cc4dd336b5bfa365b8b4b346bd8928e42e1b233513f2263f3bf3a540f9c7 |
memory/4432-1838-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kwwi.exe
| MD5 | 359b6253b09bddb35c3f1742868ee41e |
| SHA1 | 1bd2c98aa0a3d702f1aac8c7233976689ec03c2f |
| SHA256 | 6d3983372612a60c8632be4d03d134dcf717bd70c680e4fc12203a55674f94d7 |
| SHA512 | d6796abdc7c4aa8a44836793980038acdb58ee09dd805a0640b16e2b3c1c2e791f342565ee1ea82dc5a4b8abd078c04c5f3f8e9c880b724d8a3e157a5dfe3a35 |
C:\Users\Admin\AppData\Local\Temp\EQsU.exe
| MD5 | efd1795747af3f3639f72c00c1085ad2 |
| SHA1 | 4dcbffc62b9a9c2234c2f611d56d48f63392fc57 |
| SHA256 | 596756797e21432f635710f7bac48f554c54939a3ef04f7944892e6c72ea4acd |
| SHA512 | 725e8b66354ccce8e5eb06e95262d7c2aae50ae75312343060f0b2bef1ec6ebeada061e674e2c3e579a4cbdf1831850f878429cb904ad0772176b73b185a2474 |
memory/3052-1883-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SAUk.exe
| MD5 | 070f683697aed63541bfaaf1c38fa5db |
| SHA1 | b0dad3505851aa3bcbe922e6c3b57a851327be17 |
| SHA256 | 4a172a0a9aae40d282b06a9a0373a489375a225fab2ef2fee3b222f5b710bda6 |
| SHA512 | a18a5d7abd1a66620834e9787a8229d3df6ab3784d10dd7fea755823a0f2d81d25245815c169c1cb4bba15005fc32c659b2100bdf2217d58259a12fd681a4273 |
memory/4744-1889-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GIsw.exe
| MD5 | 24fd82e567c8bf703d6a4b1ed8687267 |
| SHA1 | c743e5103ca24f93d8a5fc90ab6803d5ab965209 |
| SHA256 | 280b95b81f361f6c25a7cff10655166afd96cc3fd6398667f20911022f91a789 |
| SHA512 | bcfe5a644a7ba4cec7abed4964971a8c210eda7fc1ca2b2a21c4cf8a333473b96134e1e0b32f833f2c21df6d4a8258778b4dd4dfec3b58e8a1fd707fb6993198 |
C:\Users\Admin\AppData\Local\Temp\EUkW.exe
| MD5 | 4b377a07bb24f1339681bc0196108fdd |
| SHA1 | d7abb9e0cb49def9b3ac59d292d71cbb4551d4e6 |
| SHA256 | d37cbde5a3c5d3b986f9ba68d23280d1724c4b98b60732e8c803feae4a8bc3ad |
| SHA512 | d25d067ce61053fa6d43c21f259175787f0a0f894f63d5adf8ca640d4e0908a221722c70e8982c82aab7d273034612d4f74ed33eabb2f520a93bb0ed88475142 |
C:\Users\Admin\AppData\Local\Temp\qQgk.exe
| MD5 | 6a3af0255b57916b79d4fc8a760e3d1b |
| SHA1 | adf1706cacda7782f8f5c21d2407c085b412dea0 |
| SHA256 | 1258a3bac36fa9c6e56b99cb8a3b7c1acfca70579fbb53022e7cec9c1bcbaf07 |
| SHA512 | 7a84c91b43489ea979912b919b6dbe50959c3782f452ac6fd73c5ee479822b570fce730982bd5075ce3799ca4046fa799623e86104ad478fae175a65f9905380 |
memory/4992-1937-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4744-1940-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\osgq.exe
| MD5 | cae943391b8b3d404134bad0d780bbd1 |
| SHA1 | 5a3f9849641141ea8e0f8dfb71c58ad97a8fefbc |
| SHA256 | 00c31fa2a34050af15818bed6512d0e762f72804bf37ee1a206aaf82071b96a9 |
| SHA512 | e34d37205c1be1e489e8a35d15e046709a64a46cdafc5fb018cae6856ea64ce6feb45e468b0dbd2eed24295b05f78dafee875addbed8b00df1a409fac88154fa |
C:\Users\Admin\AppData\Local\Temp\QYcy.exe
| MD5 | f1fd0acd07205de7ddfefd22eb69eec7 |
| SHA1 | 761c42c6422029eb6fd556c08de78687819166c2 |
| SHA256 | 4c7748f6a4bef7dfed9ad0a4ff34335fef5cbb856e5b200d1b1fadb009601f37 |
| SHA512 | 49c95e785878146637de13c45f3e5b6a5113ac6678da9c615827c7cffca72285b89ed2a73c89c2aa2ac9acff7f887300b20736359fa829dc980881d1b95d88e9 |
C:\Users\Admin\AppData\Local\Temp\sUEu.exe
| MD5 | 75252f944621fabe3c5e0205788d846d |
| SHA1 | 0cd2b34ef558008099fea7f5aa24dbcb2cafd35e |
| SHA256 | 9c21177af07bf71a8be1c8c369a2a9d84d3f9d4aa3d2fe2b2711ebc9ce872db3 |
| SHA512 | 4b977967483faafeeadc394f9c5ccfe2d40e60abed14c1fee533a392f53aed24420b7db8dbff6ed3bcc896afc705b002553724c414a03cc1cb003fd300250bea |
memory/4992-1990-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oQoI.exe
| MD5 | 68210cda085d6f028bdec06ba5c449c5 |
| SHA1 | 096277f3507bc97491bf2e16ef172897c1725fda |
| SHA256 | d11917851961a72bef46222bb270d62eca715d68cbc41ab502173df7258142d8 |
| SHA512 | 806037e549d78bfd8fce2d5b03191858b3f0819a13eaa250ff3a8ac91113c59838e26b8c3f9edcc84bafd5ec5acd1f922b5d158b44bce041b1f2afad152c87a0 |
C:\Users\Admin\Pictures\FormatClear.png.exe
| MD5 | 857af3564ceb54745ac2c25fac75b2de |
| SHA1 | 006b43c8237aba287b991e9ccfbc226752f4432a |
| SHA256 | 4600890554b361a1e2a9c3574b19258f7b20a4fa4ba9feb1a457ac27ba55a2aa |
| SHA512 | 99c9a9d0a541ac414f6ecc447456b6c243f0214b3fcbf42ad3c8519f8e0e53aebd19819fe59c138a43eb08a6c34e9aff97abd23877e8e504a8d4e2a7562f1b5e |
C:\Users\Admin\AppData\Local\Temp\Ykwg.exe
| MD5 | 1150c0bb9a42b8e07c5653aa8c192748 |
| SHA1 | 29a5eb127cec45829d3ab3c7d2e2b53f7edb87a0 |
| SHA256 | 3f3c8f3fd2e98da1e72925caa86043c765e4d5e830612bab31f47ca56f5357b0 |
| SHA512 | 190c73a1a06d8ce7975c0f8e3c86358aa6d586cdea62f55ec71f3c58e06ed274a9f78403947003633b5f99dc40e75f07b3e6d0a9c92824b1a1a8961128c5cc9d |
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
| MD5 | a4450b8aa1c2b9684d6aaf3e00bf6d2e |
| SHA1 | eb9274dfb1a735e6d47f176911f70531b50d4186 |
| SHA256 | 47aef7b0ba7df981d79cb4ae47dcc1107cad1d2671a8e24c725734ed2dc9b300 |
| SHA512 | 04de0ec685015bdd417bdca4c389bf8809f9a0bc20b8599aa90cff67c03c735a693d01c0d26a2d86a057ac10b383b1b582ae6fc4212623a40723f2508a51df0a |
memory/1900-2057-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YYAG.exe
| MD5 | 20acbe8a8b711a8e6bb262ce2aebf6bb |
| SHA1 | abbd25a55094e15d01c17695056e06b1205b45d6 |
| SHA256 | b80eb86364324d4b20eb12e7296aa5aa1da7b25ae23ee115c3213aa51967f92c |
| SHA512 | ddd6c06e728823f310d2fa2fa6d4638cc8b9dbaded1eaf67fe3621dbf7f31d5963dce62397cd9532113c82d47f6545cebc6aefd4994f4a93051bb11816f8b624 |
C:\Users\Admin\AppData\Local\Temp\GoUE.exe
| MD5 | f3d6add18af70a9a502df8367162b439 |
| SHA1 | f196cdb1c72e68349ca2d7a82d00e4cf2b06aae3 |
| SHA256 | 1cbbd8eb045fedd74aea844d575f547d8496aaa84846b0db519287d50be8b54f |
| SHA512 | 31c51bdd20e69ca654b6c3003355266dcb650e0404271125776ed34a542e679f2c571892a645759d6db09f059bef266cfbaa09bc9e6fa2c6bb3b81035b93d4bf |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | 34ac624124d5971fe4f4a0cae88ed474 |
| SHA1 | abebab1c5258821f7ce9f835879f15c7e8161e2a |
| SHA256 | a3ba08af0478282cbc0ab073c91ec9e131750afbe2f3556560ef0bfd1462d5af |
| SHA512 | 530df47fd79228a225cc10ae552d7209237bc28e23b89c52a30d7800c8dc3b1cbada53518eb1df5b18cd8ed9d4756340d1a6fd14fd686b15890444409865048f |
C:\Users\Admin\AppData\Local\Temp\GsYU.exe
| MD5 | f7a5921473085083eb55b0cc034b1114 |
| SHA1 | 4bfc39d1a6125ea85f650e50430e9ba3ff8bc337 |
| SHA256 | 5d96f40de12d72aaa9d3b2f52058628f162cda228bf9ab080ade71cf535eba53 |
| SHA512 | 9232d6789f75d2eddc170d64337748f5119ed1d0aec3f5603fe2ed470acd8bf5f629f9305f9808d76e8f6b7abe2b642763c13104640989cf8b1fd0ab9af46f1a |
C:\Users\Admin\AppData\Local\Temp\ioke.exe
| MD5 | 95fdb4a877891e1d4ec36bb4c1853b3b |
| SHA1 | 281958b7280946da13df654029c18eb4648ace8c |
| SHA256 | 57dd2b77a681729a80ff3a24b728c02ae885ee42b9ed4dfc5d9d1017539cbef2 |
| SHA512 | c2c340093a9012b33c3e2baae8f9a60aec9c0bf128c3f6f9186c4d9c516f15eb520b6dd977e1f9a0ac6394c081d02c2979b8ae06bed9c000f3bd70e19c600f99 |
C:\Users\Admin\AppData\Local\Temp\iAoi.exe
| MD5 | b3c574411d4eee246390caab1bf13237 |
| SHA1 | d04f8dae44e743e6903bfcd5ffbb78d45307d0f8 |
| SHA256 | 53c9b0b9f3056a46d7081fe7a3be14c52d3b204057df57f34a6afaa34e7afa9c |
| SHA512 | 6cfcbc0d30e5de35479ff2f5b9d24ed82edcb754ff65913c7595ca151e69f8f33c94a04de1a9e5c3f7d5c15e83c7a83f2e1011c25ffe8a161e62c197b21be490 |