Analysis Overview
SHA256
edc6d589a66d3457c04eb7e5ec5d4ded396a78417a81fa307abc434306d709e4
Threat Level: Known bad
The file 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (78) files with added filename extension
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-26 04:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 04:33
Reported
2024-10-26 04:35
Platform
win7-20241010-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\nMgQocMI\TaAcEIcs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\nMgQocMI\TaAcEIcs.exe | N/A |
| N/A | N/A | C:\ProgramData\ACccUAsw\aaMockko.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaAcEIcs.exe = "C:\\Users\\Admin\\nMgQocMI\\TaAcEIcs.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aaMockko.exe = "C:\\ProgramData\\ACccUAsw\\aaMockko.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaAcEIcs.exe = "C:\\Users\\Admin\\nMgQocMI\\TaAcEIcs.exe" | C:\Users\Admin\nMgQocMI\TaAcEIcs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aaMockko.exe = "C:\\ProgramData\\ACccUAsw\\aaMockko.exe" | C:\ProgramData\ACccUAsw\aaMockko.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\nMgQocMI\TaAcEIcs.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"
C:\Users\Admin\nMgQocMI\TaAcEIcs.exe
"C:\Users\Admin\nMgQocMI\TaAcEIcs.exe"
C:\ProgramData\ACccUAsw\aaMockko.exe
"C:\ProgramData\ACccUAsw\aaMockko.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hQsssgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQkYIAQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SqYkcoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\soUocgUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YOckkcwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQckIEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaYYwscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xcUwYYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lSEkkssY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSoUwwYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaAkIokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tAkwkYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xIUgIwoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tOYAEkEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkEwEwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYMwUAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OesoQcsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmEkoMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQEAokII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mmEEggMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYIQwIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmYQwgAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kgAUkIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UeMsoYEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "115202722815158114581905285703448358946007631561894868915-1501155296956566501"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KysMUIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MQwsAQUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgQkoIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wCowIAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bsoccUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hegsQUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKIoUAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1163092843239508926-12092877815506701711979807995-1975371770-2145395312-229014637"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\isEMckIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmMIkgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCQscQko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15487115512059267857737657060748205635642781357-1091727918803640790-1091644558"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2067753003-285617951-1337572433-1851847926213413474-199937261413201060041254520377"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jeccwEoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WSQIUkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-713118171-14202057431306839635-1757858328-11752708851754074221-11857571681658619023"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1177938480-14082616352567039151839958566-76631736-392180311-453573915376194166"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUgckoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18430479511548386365-766389870-1937398084-960685781286882764945550812-855251748"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2616836491511184097147009241128329680289013069323603459114241565881004087998"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYkoskAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "453545201-1754506334-839257362-1577944705-1081384657959095539208338102405904322"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8717521314492036001309653834-2041373528-148650691111594101761640671944-1751434510"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgEkkkEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "129208331-1622261683-107183125521473320501500048764-19628004771628145482-761022801"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wekMoIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "829594284708425366385694231-5992579194401000739802710420293700241166110367"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgIIwYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmossMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmksMwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1644720271-1916342777-722611430-906536145-1945606467446661357-1425184894-1695738036"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YcEIEkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18119970517806125067531458961602730381-1729968611-33435293-1178172966434438684"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1281852961917418566-305648649-6838490055639277471014433459866014884582851912"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "698404448-65455793289613721-145195929198792733-579149990-18797543-552359387"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGQYAYAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1788755867-2136193820590295329-4765942021148506729-2140800707-5076426111688507691"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "186527897326066559110367624671675744758-629925576-1600825901-428812612-1801931511"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "349800609-210959864-8813918041529467528372055501-64689730151573966-508333765"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqUYkwgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-101302772911094700811507085473-719187038189030651173621514520972228742084389164"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQgYYwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1379868735-333258797409707672080356967-1168391001-150614591017763845801405520672"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IGMcYsEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-869250228-83310479033495436510784400531614893413729870774891690992124074656"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMcYUYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-603600067-12236840391938801523-104231540417408253611365922043-1763465840-355575452"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmUEokow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "194107190488564665-1343888664-1422857821-4275426501263425347-1481759719548852994"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "465458823435303541-493104782-918856755-1799417654401187712-1658102986-1763981404"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUEAwQUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18582847021901947352-2807131411280659709-292345252-2172239499406564381386759541"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "129983148-2380897545580149861674885665-18790193321565760494-188233527-1088584936"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkYccEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12575595741082912807818065960-16280086127920407681323504162878532420-1536907393"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17886629881256642205-390259426556111327945840858-28521454-15805979121399676386"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1220189963-14039786501474060556-1155531589-3193857722089171722-736494638-1018318855"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSkIgAMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1047780760-1850804770-1431188280-11788173392137603782-19058475187942002871399640966"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCsMMUog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4591061331351854156440037192967984276-1595690106-366359433-1952224344-377927474"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-101246951014981607795714045991400844251-11158476301970060646-1332648629278122874"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cscwIsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15633783461463670788-1869845937-1063685584-16485845711053069942-1161969462-443775595"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwMswsQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "965017412-1514975221-11736636441140274281-1778121348-1439321702-1152659038-775200347"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "662192459757670458-1855380794160853813-129257239-10959416091664122644-1627210604"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.16.238:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2528-0-0x0000000000400000-0x0000000000420000-memory.dmp
\Users\Admin\nMgQocMI\TaAcEIcs.exe
| MD5 | 6e13d77732b658ff884c155530b68f0f |
| SHA1 | aede21b4af678aa62eccd20436edb18d90a9b425 |
| SHA256 | 3c4452a09e6f672e11b9b37697455c1e13f9f39201f1317af9a3509f72970438 |
| SHA512 | 0ff4bb9b91663abdd0cdfd1da598bc380de69956bc744f6eac466ad6bf06b8d83f2a0cd9202de31c74ca951e2ee1dc71efc7436b47170469c41fcb12eef270a9 |
memory/2528-4-0x00000000003D0000-0x00000000003ED000-memory.dmp
\ProgramData\ACccUAsw\aaMockko.exe
| MD5 | 8d078a2b16cb8288f6931556f5c821df |
| SHA1 | 25a0d5a04ad20fa864f165994a060078c2172150 |
| SHA256 | 949791ca7063837aced59fb5819dc4264137b0cd0c232eda8df434d69c1afc40 |
| SHA512 | dc60f0d24a8c96f6a5a0e2b02d0a4bcb9ced96380c33c5750457b7c3333d1a49365d934c651d277d3b3c107d517843458ef015d6a7beb95321feb01b7da93a44 |
memory/2528-15-0x00000000003D0000-0x00000000003ED000-memory.dmp
memory/1852-30-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2528-28-0x00000000003D0000-0x00000000003ED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kSMIMMMs.bat
| MD5 | 337cba88ed5e5b92824a1d873e2345c6 |
| SHA1 | 6b3f929caaaf3b8405080652d8f2f95c6b05d401 |
| SHA256 | 748a19a7a362a62ba89f0752e09134dcdd528f47812e4dc07e52515776513601 |
| SHA512 | 01b813bc60a60b7f711c2245444b589c0d21417ef352d5cc21442e84b468068ff5dca5b84eb7c9e17a20f1610b267e2f183f77f4b07a777f620618c3b0b96ab0 |
memory/2720-33-0x0000000000180000-0x00000000001A0000-memory.dmp
memory/2720-32-0x0000000000180000-0x00000000001A0000-memory.dmp
memory/2528-41-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hQsssgoo.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
| MD5 | d7ee4543371744836d520e0ce24a9ee6 |
| SHA1 | a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0 |
| SHA256 | 98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9 |
| SHA512 | e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808 |
C:\Users\Admin\AppData\Local\Temp\iicoYkUY.bat
| MD5 | 99df1e8c81c7592290f5b3f075f25123 |
| SHA1 | 8cbc29fa696fb2edfd758b20dda22518a353f35e |
| SHA256 | 062321f3517991d99c08c7b7dd8b2d5f9035006ef98415ad06f99e9fd1a62ca8 |
| SHA512 | 9980edc8829dac5e88218f54d8d1299c46ee67be2abc9504b5409f2c59bb446dc1e5ce2b6c73977d5d9dba6dc5c1f1e4451a83f80e73a52ed5f74daf35046b92 |
memory/2664-54-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/2664-55-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/2768-64-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MYkosMQo.bat
| MD5 | 26abb8040f8a3ea33860e63ed44248ea |
| SHA1 | d5f6af9fdc941a58b6e3315b239ecdf350153326 |
| SHA256 | 2c2a3b0e2d81f3fdedd4516942bf6a1a752303790672dd6d80e047aacac7f75f |
| SHA512 | 41975f50a908ec181ed0df13b0e7bec448a8e8cf04b5be69ea29ebbc7cf6ad5ea613538919f26fe5a0a676826049099f59c855a6909056f95097799fa5dcd621 |
memory/2500-78-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2500-77-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2228-87-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QeAcAYQA.bat
| MD5 | 9774be2773798d49991aed2b56d47547 |
| SHA1 | abb905474244a752563a2a5134d66f4746125f96 |
| SHA256 | d61be0e7de521478524a9df1b51beea57a1a3788a7c3c1897c5833aa88b3da8a |
| SHA512 | 561e69c4a36f6de3c0285a4bfd6ecfd63c1d684a6e6daa444f8b3e2a87d448a99676768102970ffad88248156616c5273ab12058e70efa87974686607fbeacb6 |
memory/664-100-0x0000000000130000-0x0000000000150000-memory.dmp
memory/764-109-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mEwcsMkM.bat
| MD5 | a667fd20f2ce472ea310594d9582e31b |
| SHA1 | 8a1c073611801f1b4251e764e176767a0d1021de |
| SHA256 | e110f0f8fad8e764197181dee150936c1b9f7296414d5d441acb18d496a6c311 |
| SHA512 | b7662d4020e61fe6c2fa91135142f32c7f135ed281ae8af4e12350be6f66dec8a10e86d42fd9acfa93cc6e9bdf4e56f384b01a5656d8a6db2197460264f19998 |
memory/1332-123-0x0000000000400000-0x0000000000420000-memory.dmp
memory/904-132-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2448-124-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pMAcgYkI.bat
| MD5 | 28b72679f130c634834e7a56eda192d4 |
| SHA1 | d231a3692ccf7670dbca1d31981cc2fee7e3ad5b |
| SHA256 | 722dd5fd9b9ac7d932097fa8cb812056318e4a6f5aa3c00d2b9c64cd8e188972 |
| SHA512 | 87259109a837c039a7bbbf014ab2b3408128b71d3352b5113192f89e7ddd8da20450f75729bb710078e0c014d33cbeae3c8f043d7c6f2762a0ff055345a7af09 |
memory/1740-145-0x0000000000120000-0x0000000000140000-memory.dmp
memory/2448-154-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VSMkwock.bat
| MD5 | bdda88f274e269c0512b709ba9b2c90a |
| SHA1 | 21db38c8ea108d00954c2297f5f818878195d25f |
| SHA256 | 7791c3de4928b505a8d5833f97bbe41f16de180a6b1cbcb9ae8bf7903b4bbba4 |
| SHA512 | d1c693e8655e135c39d7423f23f70a66afc81ceaabb1b3af494b292d772c5f436ad1ca1eec955da7fb80c101ed3e6bb00da43f10fadfec15ff74726c7b8bdd2b |
memory/2836-167-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/2760-168-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2520-177-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GOkgYEUY.bat
| MD5 | 21c998bc66772ee4d31648c89a950fcb |
| SHA1 | 3a85c4e8ae7ffdb54e58ae814e092708933cb2da |
| SHA256 | eadfe3362ca18bc1171cc3421114853a331e72a7d96d45d8f9aad8e024fcbccd |
| SHA512 | 971b3bea9b958eeace8b3b833811b51e00d5652e83fef9d2d09d84c3dcc6063b69e4ff93cda1983aebdccc53aea530237add34c183f0448368b688a8ffed4b77 |
memory/1480-190-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2760-199-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ymcUgEQY.bat
| MD5 | ad1e5a996c2d16081e89cf5c2a5eb2d2 |
| SHA1 | 881015166b7edcbe7fcdaa809e198eaff4abafff |
| SHA256 | ca582d9ca2cba3cf13ff3fe7ad3d55b762aa94f2415c5aa5aab8af41d0999581 |
| SHA512 | 79df0cdb86c7ae2e7231f291a97bcb0e7afaf7342ca32053b3b4da1393db6e596e5499720d9814b8c1d66d59e21cccb5f7a0ba0e20d5e0f42c7cfa2f95b009a2 |
memory/2984-214-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1760-213-0x0000000000120000-0x0000000000140000-memory.dmp
memory/824-223-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1760-212-0x0000000000120000-0x0000000000140000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LUkocYcY.bat
| MD5 | 2a893ad3bc2e3c167c312aea5fe69647 |
| SHA1 | fca622ade568c9d94ff48b9d3c122d490aaba054 |
| SHA256 | 9daadcb5028972919f698ff84faf58c175f6bb39d47dad70447a64e95e933b61 |
| SHA512 | 47029ba42cdb57df41b55142d839690767311406265de6009565729e133ce6fbefd681e54612c58de479bda4ffd9b227bcb9d4973072a527a4851b65d0839452 |
memory/2360-236-0x0000000000120000-0x0000000000140000-memory.dmp
memory/1336-237-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2984-246-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NOkQwsEk.bat
| MD5 | 8770486bb2a9ef95b6ad8f62c6406237 |
| SHA1 | 0665a844d0dfbd29a4ff2d9cd1e0a73cb93681ba |
| SHA256 | 98f53b2d2956d57af428a665096b0663ee5d2ae17972dcb5261d580a0e1dafaf |
| SHA512 | 0473f565679e040a8872c74c5fc8108b189a6b495f1758c295f31c0aa325ff0567d19bb521c94b2b78a980511df85485c981ea09cc5e2081d10681ffbde2229b |
memory/2276-268-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2444-269-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1336-267-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xooMAggk.bat
| MD5 | bd665803be590a8ce7d030137dcc0a53 |
| SHA1 | 024b8f61fc124c8c50fe56206afeee2b85ea5468 |
| SHA256 | c1651fa6f8716b3e9bd07cec31d407daab831e41760e0e5232f25eefc733194b |
| SHA512 | 7e673b71d2edc16a69775a1bea681ca15d3a7a41e9142e25b5faff0e5d9fc6037787b719ba8277ece72cc7b33c0ad6fc04acef93b3688ee33a05f1b1b684ddb7 |
memory/2596-282-0x0000000000170000-0x0000000000190000-memory.dmp
memory/2596-283-0x0000000000170000-0x0000000000190000-memory.dmp
memory/2796-284-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2444-293-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BkMwMwog.bat
| MD5 | e7a0f565a68a9a29e94ee3b651da37e5 |
| SHA1 | 1806c6cf48facc4780e9251578e8f63cfa7678d0 |
| SHA256 | 4f266e2e01920c65df851e7c04b112071d659b00eea26996815da1616fb5bcf4 |
| SHA512 | f57c861c3c296d56025184accf9b5e17890575f86df4bd545481c2830513e01d1043407f514b9d778a6f1dff4bfb58708725160d3c4fe44aa68df834b0ff16f1 |
memory/2728-306-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2616-305-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2324-317-0x0000000076D20000-0x0000000076E1A000-memory.dmp
memory/2324-316-0x0000000076C00000-0x0000000076D1F000-memory.dmp
memory/2796-315-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rcAUQskA.bat
| MD5 | 6e6f3c20499b5f150b378817f0d85a93 |
| SHA1 | 470c954a932f92d6c67286cea474200790ad318f |
| SHA256 | 9a806dbf61edbf98e5a2834878c39111e38e0edf5738d9e34862818400df2e0d |
| SHA512 | 139158329600f91e38a7fac951792cbd67a47190f60e99173392436796664b6a9864960e1e44b383fbe275d664ba22d9886fa09b3421d8ffef664a710bca3b2a |
memory/2940-333-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2680-332-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2680-331-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2728-342-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IiMsMYUc.bat
| MD5 | 95c5ab8f89b496d5515fc7f5b9d452e9 |
| SHA1 | 19fd0690811f404870e54cf062e2c3200c12f032 |
| SHA256 | 85359b074e910f75956c03c1c18c88d1135fed230828f4babc4ce8957e26716c |
| SHA512 | faf17c2e4f2f2ef8716ba4f2b3c623b798ba251f939dae9a6c883bd8daf118ab0bf6d6dc3f84fa9ff4347a3df6b7d64d568d5087158bde2fbb8406e23c18fc2b |
memory/1864-356-0x00000000001C0000-0x00000000001E0000-memory.dmp
memory/620-357-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1864-355-0x00000000001C0000-0x00000000001E0000-memory.dmp
memory/2940-366-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AsIAIQck.bat
| MD5 | eb14170e965ffcc3b88daee0225f4745 |
| SHA1 | 81263b6ce9525850d7928e64ec1e892a2cb8242d |
| SHA256 | 5081512e1bdc4cd0d53cd572a9bf173c1e9553e7799fbb0933f3fa63aa49dbf7 |
| SHA512 | c5e793a2d50cc6b7d9b8c148d4443ec833019541e97e25be920b6e571e7f367b290b516c5c871c93924ebe609b4136701cb59b4c4dbc294275ea66a4d6f864ea |
memory/620-390-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2352-389-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2588-381-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2588-380-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vSAgwwkY.bat
| MD5 | b9afe97ae78a59e70989206f0b33c8a5 |
| SHA1 | 3dde34a4cf472eaa4723d1886df9e5340156b9f5 |
| SHA256 | d52714aaeeafbf2bd789213cf7ad078e2ae17521e3fb061599b523b22d72cc1c |
| SHA512 | d6746772f3a80005108092cf9557fd9303ef88a83e6fcfd21f458a4612fdcea29964a74bba8f6f62c357eaa8203dee349838747931ee41922be256d9b988850a |
memory/728-412-0x0000000000160000-0x0000000000180000-memory.dmp
memory/2352-411-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1652-413-0x0000000000400000-0x0000000000420000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
C:\Users\Admin\AppData\Local\Temp\LsMA.exe
| MD5 | 869c122b56557327a53afb77123c1955 |
| SHA1 | 0f8a22e90abc84ae631be40f9b63391e9102ebbc |
| SHA256 | d3a5e60f4a1436f74900a384531663abe7b02f4e5540e684538dbead1f89e2c3 |
| SHA512 | c6c9c83b478f609affc39ed344a71757817be500ee0fc420d2ad1cd5cf54a14c705590531a50bc2d0f3833a61ea34b7a44630d6ebf06cbfd65af430dfbefcecf |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
C:\Users\Admin\AppData\Local\Temp\smgkgwQg.bat
| MD5 | f200867eeb616a8c09348c6282e9dcb8 |
| SHA1 | ba1fc280740207044484145262f7b11f78bb8159 |
| SHA256 | 0032ae24a02762125ac7c1b3346436aa9b7ddf36eaccde26a6de2dfddd5504ca |
| SHA512 | d8a19074195720a5ab2ac76ee604ea1307dbea96034b5137c86754a1ac74581a1437de1e30dfe0eb35705dcf3d0d97d598bb79bae134e009ff55be2b1c73f65c |
memory/2908-444-0x0000000000170000-0x0000000000190000-memory.dmp
memory/2908-446-0x0000000000170000-0x0000000000190000-memory.dmp
memory/1652-455-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2852-447-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jUkm.exe
| MD5 | 0955d64540240d744dcd049d4dbb5691 |
| SHA1 | c56e207ac4d1efecaac00e72d0cbba38c9880401 |
| SHA256 | 1033ba98d70a2689eda8af9dc22f1498b4ad69fb9f32c352a63ccc5491471d31 |
| SHA512 | 3ba09ab2e03bd958729702b1660c17341cbcd9c8ebbc3f42a66643ede03135423f735ca001da9233a98bd3158aba83fffd2113284a1f23f856865c65490c7a17 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
| MD5 | eb9837dabf67ae22a8e22e85bc561d65 |
| SHA1 | 65810d164bfb50f0e8888eb328b538e8abdd9ff5 |
| SHA256 | d63726048a228db6eef4909efac871b5787f8d8b89761a6a74206f95a18310f1 |
| SHA512 | 9f13d93484a90759c1922466ca6ef135526750896d499f030e68b8e8bba24d2a57754e850e8a68d2b4fd7ecb3654b35dcce1cd54b66a28ae74be1bb588d6bcfa |
C:\Users\Admin\AppData\Local\Temp\wEwa.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\gEEIMowI.bat
| MD5 | 4fd9960415b8494a883885327ce84e29 |
| SHA1 | 38dff2184bab0a97b609b6ac3176c39af8d2730f |
| SHA256 | 3394694beb119b5a6e6be9c0cd31ec7092e9ff101b68d02400e5ea16c6d4ff1d |
| SHA512 | f507931cf9d15bf588377e6d683cfc6fa87a0d48bb35992bbfa4ae17391623944f048a8aa9c1c3ca92fd67182248b2c8c50f14a0e80a3d5a6e6bfee05e89ad94 |
C:\Users\Admin\AppData\Local\Temp\yMMQ.exe
| MD5 | 009f2634e3f36e41099257af874325bd |
| SHA1 | f59670b83c4378c4ffbd001c1a4a8f2d90315a5c |
| SHA256 | 2e6fda003f6069e6c51c9e69e5a8d93564b5abf2c7a1f64d93d42a484671ca74 |
| SHA512 | 0439fa706f1d67338a7d2b88f5f578c3b48c59be9ad06720efb19b0e7272f9fbaf4d9dec51e18fc06a03aeccab1ef678b00f9060d4e324230fbe5c31b7280aec |
memory/1080-519-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2728-518-0x0000000000260000-0x0000000000280000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rcge.exe
| MD5 | 3e3fff5895a2ba7b53cd37833425d03f |
| SHA1 | c2f660e8de72e972b5d47573ee7cdadf3a9e39d7 |
| SHA256 | a73d8ec8fa776dcb1e6d82f89aad235f01ced0f42ef845a7a6b543104436e3a3 |
| SHA512 | dcf38f49c52f46d4f68835a7c2436dd0b26b3016564588e18fd7c1b2fccd53a92b934dfb2f82a1f83c0e595ecb34c762730b84562a820d8d2ff079329caa76cb |
memory/2728-515-0x0000000000260000-0x0000000000280000-memory.dmp
memory/2852-530-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PcMo.exe
| MD5 | a444a6f94e9a1fe0418f4d76690f7a0c |
| SHA1 | daa64eceb470a63fa634564e63203dd16615c5b7 |
| SHA256 | cc7ac5f3e7c7303c0a689478ae5f07384c31c7fe0aa537d6c6082c269a501a33 |
| SHA512 | aebfb6323f327f1bb4dede3cb0f56d3d3d06a3c667d5d48efcf614aadce2d195f48a7fb8f4f3ceacc7dcad2db82599a7f3cb64ec6c85e624857be90b4f193e37 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | 060f5bef7213c554b0d5bc89f98fd1cd |
| SHA1 | 709bdcb8653ad747bbb426ad39677b72881d95c1 |
| SHA256 | 2b919500af9f289a22c816c1c9d4a9590e70aa4715843298bd84947a3400ebad |
| SHA512 | 19ba5dbfb438edcf186427cae76e7dfc774bc185b763f35cca12f91f5761eb94ae9714bef0502d570b8d044e35d9df67ab049c647440b8dbf35da2485ce6db60 |
C:\Users\Admin\AppData\Local\Temp\XkgwoQsM.bat
| MD5 | 9a9a0213f74ba72f3f8f88a35b9a865a |
| SHA1 | 46ee95d3c42582a341605af8f2743df291d6297b |
| SHA256 | 0a25c64917ae2f37e1a56d9a3d47d73f143f9065093cc58d742eb99c3e59fe64 |
| SHA512 | 22edf501b5607003c861867ee876b3318e3647c5a4f0f55ca726e9f4d3e886d29b0bf55887be98f67791d3401209640323b1f6c60924725b0aca21007c6d9ff4 |
C:\Users\Admin\AppData\Local\Temp\JwMa.exe
| MD5 | 3679e15c300cbab9c5d1694f461f39ae |
| SHA1 | 6a8c0fba75c5da76958c0fd811ff9409498f9048 |
| SHA256 | fdb67ee41a9bb1c5537d981f142812776fb8cacf024cdc58c5e801fcc8c8a4fc |
| SHA512 | 364d35bea5fc261223a826fa7c3b8708ee99385e65aab5256b0b5f1afa7aa9b30c903fd551f2e3335341c9e30a55dc862b9e3a4237cfe47c069b142f44ea4186 |
memory/2388-580-0x0000000000120000-0x0000000000140000-memory.dmp
memory/2388-579-0x0000000000120000-0x0000000000140000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fkIE.exe
| MD5 | 65e0610ae7ecff0e9e4a93fef840d443 |
| SHA1 | b619a73a751ed85e861329ea28fa50d56921c4d8 |
| SHA256 | c562297bc9aae4435f239f6eac1601dba323f64e4f0efbf1067a240b60d86abe |
| SHA512 | 4c4075872343797b111fee7bee3c257b453673232c10a5a9f0073232cd8c6663ececa62b0e94604fe45acac6fdaedc77e7dce8ebf2fe6518a3feb5baa2c1eef3 |
memory/1080-602-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JMUG.exe
| MD5 | f2c1cd05f76c26874a3b5a9211ee45d8 |
| SHA1 | 83a126bd19c491b5737c910f580d059ed0cf7e84 |
| SHA256 | c461a784d7ae899195adbfe38be72b43e4f007a9572fc049e1753068683fa4e6 |
| SHA512 | 92dc8591d0b05610b35dff1640033d5508f1a2ec22986a24e0059bf775755b160551d3596727c513e0b18d635c5e0ed24bac0e7f8ab1558f47b8e692848317c6 |
C:\Users\Admin\AppData\Local\Temp\bUwU.exe
| MD5 | daf68733e0669e9a72da976518f60236 |
| SHA1 | 1de3111a6d7d027ad36f83036799af3fbff757b4 |
| SHA256 | 4637d5e125514449b67042d32a56084a4bc38135cf30d5288dc75fd12ed8835b |
| SHA512 | dd944beeb74dd0785372e0270100a6627913661199955375f055a2414ba69c86ada75dfa745389c86bd814563fcb9adc3838738dc74ce103e396c19bc866dc6b |
C:\Users\Admin\AppData\Local\Temp\vkkI.exe
| MD5 | 2d90246716eec56f45e871ee733f1b52 |
| SHA1 | 4fcf48f5a891e0cf2e717009363631942feccfbc |
| SHA256 | b15d3c96032cb7eb00d32498f67aee4a8e94fa7169f95cf56f88400d1a0b5950 |
| SHA512 | 0706f3f480d1c061fa0980c1c7ae1f0b17970c425725c11a08a88a1dabec302c802df96bb08f536f342fbee616d57a2f6842c2711b10522490b394b362fbd25f |
C:\Users\Admin\AppData\Local\Temp\xeYoAAss.bat
| MD5 | 4de8ac80590ee4dbfc0152d41c66c50a |
| SHA1 | f49246a1c9edd9b23b5f85ca7ac20198ed7b18e4 |
| SHA256 | b77d4eefeabd0694f43a93691eec4bf87ba97d086dc08dd6005b1097c5920b9e |
| SHA512 | 7f6b4592880a1523334533e6d88e9c30ad5bcb4767c4c69db3b7c36864129aee789fa91a4391263d22a9e4fbc9f59f9f6ae09f38e657322931bbe604e017e56b |
C:\Users\Admin\AppData\Local\Temp\GQoU.exe
| MD5 | e080430901a733ec1ba3d0bbfc2d2a77 |
| SHA1 | 5c446dfb01065756f27ee06bd654335b6c7550ec |
| SHA256 | 9399e60c3b5f4cda9cac889d2f26eeece80fec513ac1c543d9e6b56ac3c1a93d |
| SHA512 | 76133edd98c019bdf6c771ba163f291281873272a3f971ca33f7a7f21309ab36a6d3d1816b1da6f96fc16d7acaa654173b0ef8798d791978651a68ffd10311f0 |
C:\Users\Admin\AppData\Local\Temp\pwwS.exe
| MD5 | 31efdd736f12c472c85d410bcc1652be |
| SHA1 | 6e5f18cb2cdbb8a75f0af7556869fd002f5c8bf9 |
| SHA256 | b15b5a279df7df252485ef576f9e7fe021b28fa74a6948b0a3c51b1561df613f |
| SHA512 | 140e7bfa6a06c91df984a868ea0e30537361aa408a0aa61f670891f8ad4a8a842bfc84c8024e7517e91c2dff3165ee99e68255bd4579dbcdebc328ca12f21095 |
memory/1692-678-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2548-699-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QkYQ.exe
| MD5 | 8850f426235a2dd1c96a0ca428ccae2c |
| SHA1 | d399c7a24feab6017c04c281f7a8086f4495e97e |
| SHA256 | 8a20bcab720fd0832a3e011e60c8e5e592ca8939a29e57a8f8a298f08fa5ae9c |
| SHA512 | bcc721dc251954583c7507a40242c5823f55db5bda3cbb2d9c70470635debaf3f8738d5d59fb87411f20ba9164ef4299183f5852f95d9b1483dca53248b15682 |
C:\Users\Admin\AppData\Local\Temp\BosQ.exe
| MD5 | 6b4c10278245c526b733dbe51966c2fc |
| SHA1 | 0bc4d2ba9ba0117a2a1c015ad09493a8b398e405 |
| SHA256 | 00c4dd6172048d4c30785c9df4356d9ef5f88eb4dd6214c6112dc0fbb933155d |
| SHA512 | 4ac218771939b64aea5c4b69a2b98c81f040c912fa6e23a12ed69c6b2aa34b1a6a33fb60645c113e1b988efbc4e45f3fa607c09645b4a6aa3923bb1984cf65f0 |
C:\Users\Admin\AppData\Local\Temp\dMkG.exe
| MD5 | 49d2fbaaa9f49b5b9c0f38cf1ca34746 |
| SHA1 | f1a63beafaee8f1c0973ca75ec0116b588dd32b2 |
| SHA256 | 6c1929dc7ed36f8eb708592958b6c8d15d4ebed724c16dfb953388a99bf6a254 |
| SHA512 | 358afdcb9c1f0bf06f0fa7e32e5f1f603b4c32db032231ce574524c46c2cd1caa44da1bce2c6097d42309346e23a61c6bdacb25bb8ff610e7ff8ff4904189aff |
C:\Users\Admin\AppData\Local\Temp\pMgO.exe
| MD5 | ed1d2f19508acea8397a4b019e82dfcc |
| SHA1 | 01790050ba26d68005f1150a2d9e980b338411c6 |
| SHA256 | 31603d598370afddd13765eb16025a21a2e2b15bc021e55ef7e255e74e04676c |
| SHA512 | d8e8d719dcf59b5fec09744b181b1bbf73d04b13ca43f60369d30972516b70ad4f65fdbfbda7ef2256fcfa52e330116a0174fa7f8e93bf6d06dfff3fb54e3a52 |
C:\Users\Admin\AppData\Local\Temp\zwgQcUMo.bat
| MD5 | 1ed17667e77fb667a5680cf54f7ca1d8 |
| SHA1 | 762c6da4850b5646b1fbba9a221c5aa76fe97df9 |
| SHA256 | 9eb3a324e2b28b046a964cd9075eab7d1b8576c248b32a5bf2ee324dfeb9ae8f |
| SHA512 | f8085f2d3e72ea75e1cb015e6a76ae6b063696586699e314f723758ae8fe9254e2ceb17d8a3123efc2fe3e6421e20301977a2e2154ec90718aec56f8857337df |
memory/2940-763-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2212-762-0x0000000000200000-0x0000000000220000-memory.dmp
memory/2212-761-0x0000000000200000-0x0000000000220000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ksgs.exe
| MD5 | a9c471e2cadcb9569e9f81dddf9500b7 |
| SHA1 | ded3b62abe1ed06d4f471fb9fca61c42e6ac47f4 |
| SHA256 | 563f093ced2b380a98556f69af69b65785b60fc376cc6cf43303b463b963daaf |
| SHA512 | f93b88653ee5d8dc9f7f64e5e83606b755070f4b16974fde26b775240ce27fa97e2d39f122ae00cac2ed7e089e3ea4a56fe5f57eb20c429154c9e7fdf57b4eed |
memory/1676-772-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lYks.exe
| MD5 | 0c5da46719e4f3d736d10c9976d1b599 |
| SHA1 | 87febfd3f7e5792d4d518ce8948807a976de04ee |
| SHA256 | f806c0b831ed03f16757d7a7e02a36b3223e34b113b2400a50ae1c49b98fe68b |
| SHA512 | faff92c577dc552869c9c9804fe85cf1bcfe6cae10784b09af880c01e0c3cb90065c6ea2eb908a8df4a5f565128bfd30a238a6e4a82434b02219adc44d8e641c |
C:\Users\Admin\AppData\Local\Temp\PgUk.exe
| MD5 | 1419c8953888be9ac6018857cabb7195 |
| SHA1 | 82f110eec394b3e655846c41c10df810067a9abe |
| SHA256 | 7b924dfeb5f2885bb95bb9a655043fcffbbafcd0d8313bc730c6e9916a596a78 |
| SHA512 | 2c0df8c1d1da203e83ef5abcfe16b1f055ac47a450889d8048482b3d128ff4b3159dd0419d82ee656fa53ad0d6c2d40ddf44f1dd273b0406897a535b22e96334 |
C:\Users\Admin\AppData\Local\Temp\PgEU.exe
| MD5 | 5686ac4872a344ff7951bc162f3b40e5 |
| SHA1 | 9a533b8e569f5d6a6c1be83e7d8faf5cb74df8c4 |
| SHA256 | 18eeba70bd6643a41b523fb8440a0540c16f7b2900af356fa1824d0a731700f1 |
| SHA512 | 8d0298234934da84842428877ffd140e3e7f8c9d2c195b01cb5e5aea2caa6583cb059c84bb39adeecb39ee3f19cb61c2b9a83a581f4aa0b6ec2df5d99b4100df |
C:\Users\Admin\AppData\Local\Temp\CYEM.exe
| MD5 | 853acb8bb3b26bf770fdee40eb7d340c |
| SHA1 | d2170e3c0737b0c8bcfb4204b1646470dc8e9b62 |
| SHA256 | 96c78d9e99f23472ea964a95acb9afc2cb4740f5a5e76300de97a506469e3d85 |
| SHA512 | 08a17f1dcc9205ccf52cb1a1e6e437d1924a2e79be67e942924351439986a301deb6fa2b84aa129b47749a7b5e452020d3506a9c4c4700e0ec5ad7a82caf0453 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe
| MD5 | a7419fa024ed7714c45bfa27219840fe |
| SHA1 | ab5d8b05d1bbad71976be24458af29e445d452eb |
| SHA256 | 88c15cccab776015a1ca8606e5a8312fa7801693ff46c9802f78181a95f3f470 |
| SHA512 | 5b22b4a4ca4d7f3401ccff81fd20faafc1b613e1beffcccfb623f3b3cccb52f22ad11095f902dc4b71f6214c8d13e8c6d07ade9686f0baeb4d0520b00ca40277 |
C:\Users\Admin\AppData\Local\Temp\mQUsYIck.bat
| MD5 | b6617a579bfc924ae0986453c81b13c0 |
| SHA1 | 621ba2c5eaf9bafc15a737baf4bee17fadba8f59 |
| SHA256 | 8f54a12ca01fb8c83751a43cd938c8452562467348f9cd0e5c337dd8d1289d0a |
| SHA512 | 42a34ff82b15e51981dcbc347b6e80612f0fa8283b6adbceda562ca5eb1dde30d5e0af88b52543624409973eb53c9bfff929b03018d21d91e2bfca78a82b913f |
C:\Users\Admin\AppData\Local\Temp\ogMq.exe
| MD5 | d7ea08cacb57babc7f9433c23eec0a71 |
| SHA1 | a9c12c735e71df2233476aedfacf72cd855ce19e |
| SHA256 | bc898ede731315fe5bbd7db083ff2876a1212787529521f56d0da47587f3a482 |
| SHA512 | 2d602c0de0c929ebed3a80dcfa7641f181bbded1881514db8ec5ef1bcfd4ac48926a5c89d68002291787b240917f08024b6534728673cba08621fe83fdb1303c |
memory/1552-862-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pYMY.exe
| MD5 | b32b6b100591bee9f6a51f7564b083a1 |
| SHA1 | dea0537ba0aee6c16abb65e29d883ad129320b31 |
| SHA256 | 0ab5b817ffc5857f5e4419f28bd478600e95cd9331e0528056f1ceea3be5729f |
| SHA512 | 085c706cb2fbd3fb5120be8923a65ad3b389d5417d94a1364c3e325e315469ba95b092ddc1d817e8ca78c36a272df7c9bc9c5d73a2bf7b2dd543a4d2bbba1ad7 |
memory/2552-861-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2552-860-0x0000000000130000-0x0000000000150000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lAck.exe
| MD5 | 60574bb6fc37fa354ca024172a7c7af8 |
| SHA1 | e7c06281014dfc9de16e688543f7f97af46fb78c |
| SHA256 | cfae300441912b836bfafd64e7e89594a29b3c29a44550c0df4cec6e0112a7d1 |
| SHA512 | 8ababf37493639a9b9f32f0fb405bd3df97f2d299a0b1aaf7f87e459607dd54da61980134224ffe6f2ce926a49ec2523b86090e6759ca42d82d7fc0f6aefc1dd |
memory/2940-885-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HAsK.exe
| MD5 | 28b1ca5783a612497a67da26b5802d2c |
| SHA1 | e5370dfee1bc037fe949b76682f6ef14eb2e7919 |
| SHA256 | f2947ad9af3cf55b0a6376d82455466e4626abecc5ae483fcf237bbd056f4cb4 |
| SHA512 | f6dea9e700d4823a76feebd8e12f977cd06245dd9778f0a9e467034ce660c382042aa696c39dc6b948b33fe62232f254d3a339d35ce19b347708eea16212aef2 |
C:\Users\Admin\AppData\Local\Temp\oAQu.exe
| MD5 | 0716c88b2df7f6aab2949763dfb0f601 |
| SHA1 | bb4650cba83dfb9e0bf302076610ef401c7e6dea |
| SHA256 | b3705730e9742e8bd35bd1263df489940a2aad383a64854b24107b11b3f7a367 |
| SHA512 | cfcf3e64bfeb286827e54e9bf5b95c27c947557514ba2dc406fa762aa9e2eac673e4499ffd0123359cbfe83e1cce7e01ccb9fcd2b77f319f80ce941c83110609 |
C:\Users\Admin\AppData\Local\Temp\dEIm.exe
| MD5 | 4f539185021f22dd9c863873665aeec1 |
| SHA1 | fb768da534a639bbb4d63e03bfaa7bde898491df |
| SHA256 | a9e5a77feac2c647ef181e09b9c293ea10852e6c2b8251530e96c6c109495ef9 |
| SHA512 | f32ed680692e0c2172aa2beb3e4e9b225831cc601333c99d738aa7cc659877f759fbad8ec244c37197cd0d146ec65e467c949ffc720dec11609b1163f357dbea |
C:\Users\Admin\AppData\Local\Temp\hYsc.exe
| MD5 | 3654c21d21f835383c4b920dcef258e8 |
| SHA1 | 12aaa292b8a17db5f3da039ab95e2df8d8be7684 |
| SHA256 | 9c561af8965079be81babb18ed9cc29a66d9209cb8f4301f38ca39cdc70d08d6 |
| SHA512 | 672bbcbabbb94307082f5a9fecebcc9bf2a333bd81363bfadd69740cd13e12f781b36ed3a52202aaed868f57ebc6593554c5aba66c279c3049e756a8c606633a |
C:\Users\Admin\AppData\Local\Temp\bYMs.exe
| MD5 | 59830fcfd635dcc0a81fbfc1781b7b7f |
| SHA1 | 99bcc803e0664514bb0941c7259b5eb3222cf415 |
| SHA256 | 0c1bf08c1ce01824630b6ccf452b4ccfb03dfc5de68dcd4e74c2e68324ac9fff |
| SHA512 | ce8d51f68d6c3dc8effd32bc44e309899cdf40f63111513f7b4750f527b820874172d2546d08aa81c622e27f8ed7347ed7afe37825dbdb7480c57aa2eca61504 |
C:\Users\Admin\AppData\Local\Temp\QMwe.exe
| MD5 | 3a9d3009116ee6a7d19bcb3a0b219ae5 |
| SHA1 | 087e2751ef5f36812be243372559ead790768e66 |
| SHA256 | 9956b1858139aa960858175b4b11f1773b80f961872e4ad06f9d7f01e22e61f4 |
| SHA512 | e4f7f78c08380e44dfde0019b3ce8471f91027866ebc94206c72e07057a86625a8698778c4e0490f7d4d603f0bda12eac71ba959113ee626c7a29dc8403c7199 |
C:\Users\Admin\AppData\Local\Temp\QQAIwkIg.bat
| MD5 | 22b38552d2f033380b12200594fcd3fb |
| SHA1 | 2e689254e4a61c73c1f9f6a7a70291604d9bc238 |
| SHA256 | 0f9e1b09c18e4007355ce5af67fe967126029b93ea4b3935f700d96a18f0cdfd |
| SHA512 | 4da7bb5ce5114c9b490e5ed2b0fcafe939085fc7d204dfb65da185cd7d76a26dd8309f4ceaee436072d0b3ef3bc379f8d25d6539b0f2d33785505cb55af0e684 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe
| MD5 | 11caa291521bfd9d74f089624e699bbe |
| SHA1 | 757b73f9bcfdd75887b6402e2bf1202ac8adb546 |
| SHA256 | 0d96d7147a855564a7380084f31942e9a13123ee347b18035fd1dfed8197b13f |
| SHA512 | 66abbad6cd05693f289f1837ba71d9d65c1f4c84293384b4a8a460dfb282f4cbb68cf7d307fe9d683177e9a5db3917eece578d9845cd42f226cce2fdcfdb009b |
memory/2008-1000-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2000-999-0x0000000000260000-0x0000000000280000-memory.dmp
memory/2000-998-0x0000000000260000-0x0000000000280000-memory.dmp
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe
| MD5 | 384bdc92cb922b142e19c205635267a8 |
| SHA1 | 90471e34d2295bec5a71b98fcc7ec42487ed3a54 |
| SHA256 | 45dfaa265a2a736bd22ba486adfb1e8488bbafccc2931a4b29fb1c5c32e55e3b |
| SHA512 | 361e7ba02d1581cf3b3e97d062183854defab382fa6dc87dd4bde2696983c4f060d629de65d7dc7ce31c26ef3baeac9218fe018779613cf81575f3ce6c889bcf |
memory/1552-1022-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ygco.exe
| MD5 | 4cb47f845c1ed62c1c5d138b318b7580 |
| SHA1 | aa10732d9ce10968ed0a15e79822ee095ea1f58a |
| SHA256 | 2ceecfe795bc132b7e6719d31e3806c31dac65c0823bafc18cd63b58d222f8b7 |
| SHA512 | eb77ccaf104d7f0647f94b46c889622e63864b22205517d0654cadfd0e2d4fd4de696400e09f5eb00288cb65deb6ffdbbe8ce882c781d5c360813ec2c113e093 |
C:\Users\Admin\AppData\Local\Temp\pYsk.exe
| MD5 | 827a60a3336b979ea48481a593b4f494 |
| SHA1 | cd10f85f5a9b62470ba0f9aa419f305dd2fda597 |
| SHA256 | b960a7f165d7e58353501e2988be245a0425c6d41b122c8a10a4ee48a200f454 |
| SHA512 | 82ac9867188bd968feafe1f97eefaaf71b2f55d516f50525074aa92e7781fb162ec819c0aec17a1fb349cbcf586c2992241383f3b2524b0e5e4550b2331e9d52 |
C:\Users\Admin\AppData\Local\Temp\TaUQYIwI.bat
| MD5 | 893d2e4ac00493e0ba35e4f41c61eb33 |
| SHA1 | 0ed8d0d3f11893978194c503cc21f38a761def6e |
| SHA256 | 20a5ef60d3bd7f5ca7c55a245e1c52f28d2e5466c57c02c814c88a09f237a14a |
| SHA512 | 063ae0344a703be0665a4cd985de944423c79756fea8d33072584b3ac1afd7c4f2647bcb5c9ed966b74bc37f84d061472562a732a2dbb5156ccae9c420a9efbe |
C:\Users\Admin\AppData\Local\Temp\HoQE.exe
| MD5 | 4fa9b9980323cb69b8308fca3a57da3a |
| SHA1 | c372619df447342a923b9e406b703839bbb0a3d6 |
| SHA256 | a1517e9609436a255a0e31b47e527175dcaf189bc90b43875ccf0c943847395f |
| SHA512 | 9232dbc26c3a855f2e0ee83944ff181b6972c5cb6188c467290577b76d5f58875817632015d54fc6440dfbd836ee8cc7dfb43fbe1fdb4cc92432bc105bbf9546 |
memory/496-1072-0x0000000000120000-0x0000000000140000-memory.dmp
memory/2196-1073-0x0000000000400000-0x0000000000420000-memory.dmp
memory/496-1071-0x0000000000120000-0x0000000000140000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JIoW.exe
| MD5 | ccd5bcb0018d46261a21452ed250b9eb |
| SHA1 | 17d4c1770df6da76da43269e0d379d034cc94571 |
| SHA256 | 3054ff16c603560d750e6c8e41970fe4d93f156509ab078643d3e561a3aad5a6 |
| SHA512 | e2728b14da054057b5959af7c51939559fcdaad7d83d31c43947c99b1fc46409f0a866b9ab04fabfb865252f9b4e24094182c809ccf4b3381380291d480be84e |
memory/2008-1082-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hwYK.exe
| MD5 | b2149629a03b9fa8c3c64e19d6306741 |
| SHA1 | 9f9b59e6dc8d9cf78d024db06ae7b06b37e31d22 |
| SHA256 | 58c028557cba98707f047b81ababf63529df2e84f103e0af8b3d557792604c24 |
| SHA512 | aacab37cec413c6b590f813e16ce4809a3bddb4fb1a024e40dd8049eb8089032a5a678589d2abac7ee7b6e7364f38b30c70cf42bd40943341045dfa829c73f4a |
C:\Users\Admin\AppData\Local\Temp\UkEIUMcs.bat
| MD5 | 4b4772a6109675efda3644b209f7e7f7 |
| SHA1 | 9ff343434dadb50329997757692ec08d13eb27ec |
| SHA256 | 547055d34885a88be76e8aae8cb889f8e241790581f8cf7bb3f3477406dad683 |
| SHA512 | 326c47d61adde85e799b668dada9418ff93add5054ce41aad4c76f25336f1897531b2490c0c9dd1d46dd80fa8904dc829bab034189c311ebc24e139009a485fa |
memory/2036-1145-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2692-1144-0x0000000000120000-0x0000000000140000-memory.dmp
memory/2692-1143-0x0000000000120000-0x0000000000140000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UIEy.exe
| MD5 | 8b6893c9ee2075b52c20bb6655a4b8e7 |
| SHA1 | 79d1f420a3be7cfc3e2050b64d16b99b67588cac |
| SHA256 | f5ad477275e70ba2f8798ba754871ef72d0b3ee6448618d1a4264ea38abc7f2f |
| SHA512 | f9e8a4b6a76a473bb278d9fd25b8eb330ca91ec8f22dc248404c09dfe75968af7edd025f121249903ad0a0c7ffd0c978584ac861c5dc289fc6ee4e62826dbdc8 |
memory/2196-1154-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BQgo.exe
| MD5 | 746883a2df82203f69890e5add290072 |
| SHA1 | 01e1af66271e6cb8213ced1c6ea7e0687c69b927 |
| SHA256 | ce01f5d908add4ce18a67c008710259d82365251c8cb73d79b120e3430a4269e |
| SHA512 | e2d5c74848da691a5969d484d5a2c512e1b7c4118a2596eb1ce2831d22c47fb22df6e278db65a2151147d547412a8ad19d5528c0a880884eb075a8c86241afb2 |
C:\Users\Admin\AppData\Local\Temp\BggW.exe
| MD5 | d1e70fb0882fef61151fc0135d3f1705 |
| SHA1 | f689d06d41afdce9c1dd7816d763f578cb7d096a |
| SHA256 | 2f076092a949c7c3ad6dd86ddbf4211ebde0dceb66edb773604c8bca701a912f |
| SHA512 | c7ca651709e2f4f299e305ffac087de24140fa8b109f8e8fb47814c03ddd38ab718f023fbfc1816b999cc1bb32a21bb59013065bce12b1b63be27f2640f7461b |
C:\Users\Admin\AppData\Local\Temp\xYos.exe
| MD5 | 59b4f270adab74bf57cd8324d4d5f42a |
| SHA1 | 1b4c406b94f4679b5488138c68129d8352480a5a |
| SHA256 | 24fcf8465f2b2badea8e7bc193b2b135781bb7e80bd4d4ee76fe3958fe64f7e2 |
| SHA512 | 0a712688700ee0b09b76172ccb062587d2d57e88c1a32f8e9639e543cd260c16b3a1def0541a339f1450662b1fa829f6b0b132076aaac8aa8044980999804b82 |
C:\Users\Admin\AppData\Local\Temp\jCgAwQIc.bat
| MD5 | 557c0633ad078b5f6932860af859b9f2 |
| SHA1 | 057e1672dee51fd7d9cf727fd4f35425732939e6 |
| SHA256 | 81d94536ddc856d7bdf62fd5357304e3f1f8dfe138a680929350eb8b56a9f508 |
| SHA512 | 334d471facfef6eaa50a0d2273de0e173471bd3ad7b54be21fbdcb9fba6f8c7f242cac409ffab68e3f20e20288f236d17842d908e0dd25529bd037d248ecb5c2 |
C:\Users\Admin\AppData\Local\Temp\Iwcm.exe
| MD5 | af4edffcecea0f0d2ee8fda7547a35fb |
| SHA1 | 0160dd2c932ab4ce5014f6283615700eb5836d35 |
| SHA256 | 199e6418c14fff9d7c9f44a9a265cf9c4657465b9ed386b5d24d5f49461756fe |
| SHA512 | 65d86b92bcaa436190975269112f7e5fb731b588d319fe309a2b6d830b6d07a53a8d71e75d1847236ace74da9a56e0d47b16f7267e95dfd6618cc40814f57e7b |
memory/2244-1230-0x00000000000B0000-0x00000000000D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FEcW.exe
| MD5 | 328677fdeaa2c8a908e094bb41d3d1f3 |
| SHA1 | 6cd7fadc7f6a879dd30efde086cbd4c001116434 |
| SHA256 | f06e589d994ba74971e8f89c993811e05616e844d4f17353a59290ecb2ddffcc |
| SHA512 | 81ad56338a185f0e9c3921dc1a097a7f86b49588b8fff7bc2e799ba5056526d56a524347a9e66728aac777b32e85a0e0bc8787779fb3007deee2330dca78e50e |
memory/2244-1238-0x00000000000B0000-0x00000000000D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IEcq.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
memory/2036-1239-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TAkY.exe
| MD5 | 5b2c73891ac0f7ce05da3f47aa023154 |
| SHA1 | 1914f13e29897c137f2e9b3da8b331ced967638e |
| SHA256 | c0d149f39f5b9682bfd531810e6965d7faf5c172429bf0be9267c6429a8980a2 |
| SHA512 | 93ceae4cec8e245d3748817af3169a594c765afa693db0ce4b66d5de3fa4d10afd4eee00509fd27b61add0c70ef025cb33141be27aa5a617265d415eca639a8b |
C:\Users\Admin\AppData\Local\Temp\SMAi.exe
| MD5 | 4c86ffd9bf879ce76c40d96a6f9f217a |
| SHA1 | 839891b9d8aa98e40ef58ce4d17b219c85f0c6ad |
| SHA256 | b4b5b6ea47dc63a71977d2b1c649ccf5d1ccb814c26c951d8dffc0b47896dccd |
| SHA512 | f3a18286cdd4a79ba1b693a46e406f04d75e04e11749b06a64d9d3bb199af89e50ab349252e7f662d37283ba6e34ea46997dc2a2d6f03fa42bbcb8453ebdd9c1 |
C:\Users\Admin\AppData\Local\Temp\cMkE.exe
| MD5 | 32159f0e5fa9ca33e2bd1579735578c2 |
| SHA1 | f88f539c7a281d737be1ce41adba724d88367e02 |
| SHA256 | c02f6af6cf57504d041a89bad1e56cbf5c68a136cf85a53479dd90667b5c2483 |
| SHA512 | 44511c91630b3a9a86edd54ef0d419602af7ec3a80410366270d0fb65ef739a07b4f1c58c41b0e89b86e0b8ccec3164606a61a6997396b1be457e2b239e7b2a4 |
C:\Users\Admin\AppData\Local\Temp\zMogEwEw.bat
| MD5 | 20f945c0243a868ca48259e6f6f6e979 |
| SHA1 | 08fbfc3ee7e6d802ec6182449c2046edcd8421e3 |
| SHA256 | b1b83114bfa602cc5504a8d5726aa29c3e1ebc0c56c90ef90592af700aa5f8f5 |
| SHA512 | 71b6cff0a8a3e452d47955ccb2c5b76f2abdae6c3508e6687b9be95b7cec551d5386b614d0fa44a39de254dcb9c6424b0e3272c864e56a2cc95e4516a92a2ad6 |
C:\Users\Admin\AppData\Local\Temp\MsMs.exe
| MD5 | cf1aa5b4bac780aa20cfdd9bb7a86cb4 |
| SHA1 | 98be26d60610093efa22dc0c133cc7c20bd14dd9 |
| SHA256 | 05395e9abbcaf7430e40a681a49a39678145b681c9c56c18bc1e7fd5db6d9c38 |
| SHA512 | 1efea8b52ff05e1721651f282adf76e057e39dcef2f4d6d952cf090e6325f7decbfade2538ea53a497540eafdea3f32bbf4b65d10f2db8188e8767a056f93c34 |
memory/1480-1302-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1480-1301-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hAUo.exe
| MD5 | d209676ab0cc682ce3b022ecef190a68 |
| SHA1 | 9906acb52df2daed1da34ac0234e96dcb025735c |
| SHA256 | 3619944adbff4dfdfc67cf25308ace8dbc1091091b71ca177531a665aa530bbb |
| SHA512 | 57e4ee85dbbd03ef973c21f05e88a4ecd9d48bd3a62d9bbaab5db7037a4a6ca70c479e143394082805cdd248ddc8e676278aecdede26ac0a679475f2ac5d1338 |
C:\Users\Admin\AppData\Local\Temp\PQYC.exe
| MD5 | 83f66ea9331db03557bea508c47cc1ef |
| SHA1 | 75227cd8e33820769ac6440cc7d48a71c24b02e9 |
| SHA256 | 3de6b27c167463e681bc812d128f6f6315049eb986442a5b77089758b5056bad |
| SHA512 | ba16acdd366ea5e5724c9d355feaf7c222b4cbe55fd1dd1ac4c50797498a844b2978e76bbd751fc92fd8d377772f4e04510893ac17c32d7dda8ccf6e1cb01fff |
C:\Users\Admin\AppData\Local\Temp\gcAIAUkM.bat
| MD5 | 9a145202f0ca644d8aae147ffe2aafb5 |
| SHA1 | 288494ad98f75391fc4692e82205827f275a7a06 |
| SHA256 | 41c5032ec87699409c6daafcfd9984d9da030ccdf44ee514233562adcfb9a9eb |
| SHA512 | 82769b281f6a3632945e6f352c267981131f3e2fa5e079ab274e9cb1e560d1473c27c5e87b28ef20d97e6c233efae42930c435d80532b686bd89ba9dcd474f10 |
C:\Users\Admin\AppData\Local\Temp\kAEQ.exe
| MD5 | 27705606caf832a2cd298464469808bd |
| SHA1 | b1e98c46c61350d2560f66701c97513039c5cb13 |
| SHA256 | 0ad85446c3de1e47fcddb1c666858bf0a8a8d6f65ef6ceffada7701de1f590de |
| SHA512 | 5cfc17520f28bb540ca76d2718d78c44c630dedb86b885df8432c811f5ff024a23af100eb99f0499705b5d5242cc361681bb0b0d3da116d9f5e3a04e8107a025 |
C:\Users\Admin\AppData\Local\Temp\RYoo.exe
| MD5 | 48b2ac5a220b5623cfd5a91eb13e7b98 |
| SHA1 | b521b8d860cb3995c2d7cddef38fd6b9a41ac02d |
| SHA256 | 5e314e01e042acbb762b45e7de8789a0c7559f56c29932d11edd125d1ecdb6b4 |
| SHA512 | 099d1fcc109b6e43cadc6080d88546ee844d24735aaa2b9698a393c4258d77fe7f636fdd4b9dcd68a0fe572b1a7e0544a27c27ef1bdbcc389a41906c9316e195 |
C:\Users\Admin\AppData\Local\Temp\RcUK.exe
| MD5 | 0fde0b1df8cc30a93b6a3c56a47901b5 |
| SHA1 | 45d7e836a6041689ecf38681251ad0300de6187a |
| SHA256 | 829f33fa9be1b23c9f3ba1bf0ccb0d6f1575d9407670387dff80c8398b2243a4 |
| SHA512 | 98682ca25a59d8a97739197b852924fdd1fe26f2eb95fd03cc25c794c542672494e91225aa17f9acf202f52fe4fe6323109060474a87699eac5fcbcfc8ba316e |
C:\Users\Admin\AppData\Local\Temp\JYUYwwQA.bat
| MD5 | 074f2e275b3a855a5e413bf2a1cdfcca |
| SHA1 | c1764e622ae085de506ecaeca853581929d481f7 |
| SHA256 | a28a00dedcb4ad086379c3b539a08ef5a713d58b94fa9c1b19e3cc5700549fb3 |
| SHA512 | 8efd898d19bce321e98802f2f953e0805e72b280ae5d11e34f60fab2e2f9feaf9994ec6f5e5d9336cfbf0c603dbb4e465d9e6a94fd967811819b0233187865af |
C:\Users\Admin\AppData\Local\Temp\Ckgy.exe
| MD5 | b3a6004b33fb38e138d2a6c40a8ed7e5 |
| SHA1 | 82c252f9cff98eb0c0c2dc1a0664949413658b1c |
| SHA256 | 1d2e6f8c2447d8ba7ce063cc31db5661b64e3160e70f0a797f007df3a0274e10 |
| SHA512 | 166efd8aec85736c2080ef67f4fc90067756ca3a3d8ae3c2222fe4c0e475859880f975cfcb97356253ea85f3a0e0337e649f83a7def1ebc8d67b0aa1a3d41152 |
C:\Users\Admin\AppData\Local\Temp\nsgw.exe
| MD5 | 43adc401a5743e3fb3516ebc2e5acc56 |
| SHA1 | 424547b2a48a81d8371681cf5874addff8b95407 |
| SHA256 | 3ec0b35cc88d53c1884a5156013d3edc29fa24a83693b2e2953922e440643ed8 |
| SHA512 | 86b4bd9daee71ee89f01b7a39c1ae530da3713b29706a7757a625c58b1ecf90227d872930d7ce104b47b0b56bd09a3597b7d7070691ecb568fdf934b38ff6b3d |
C:\Users\Admin\AppData\Local\Temp\cIMG.exe
| MD5 | 104a80fd0fb0d1d0a2c94a54d0f194d2 |
| SHA1 | 1c0d198159dcf933a2b03e63a486620b6853075e |
| SHA256 | 6afaa45dd7be3eec7db24efb84ddc135b252f96835ff590b214a99660bcb50de |
| SHA512 | 6839a9e6e34b0b1152595f83890ae316d8260ce8208ba5dd8cfc5cd0c4e0ba4266f7495ce0e6532b0c7e788a77e42204c457c232c50ef5b4e0b347a9b4231567 |
C:\Users\Admin\AppData\Local\Temp\vEIW.exe
| MD5 | 1ef1dbfc860b73484e3d46622fbaae07 |
| SHA1 | b51793fe782acf3bb7f29de9c8ff44e4520d9bdf |
| SHA256 | e0d5afcc8633fa1374b53293f3094e5a218d4918c6e654cc218c5908b5fca1c7 |
| SHA512 | a32df3e8786f51b69a4606ddc227208fc6f2f31df152d1b6848f83d827ddd07dfcc75323ea8e92802c7f176d49b302aa15af0173dd7f78b12a5f8ddfa3917553 |
C:\Users\Admin\AppData\Local\Temp\FoUk.exe
| MD5 | 1a2cd116f9e713e9b3ae93630ab44657 |
| SHA1 | dd172cbf5e51cdff3296fe58a2cd033cae25fa19 |
| SHA256 | 8fc1e1b46dc957c038f630625567624a3a7533db6878257ac58a311df9d6f2a3 |
| SHA512 | 769154407632fbbfafff221cfa3e898eaf814969c868314277ac61c28cc3ff52cca625ec28d79687a01d926154cb0b5e8b1677aba9cd8e9d35521dd1853b74b0 |
C:\Users\Admin\AppData\Local\Temp\XqMUIEss.bat
| MD5 | b0bfc52301b1bd6b15ee692764afc237 |
| SHA1 | 6b1a94b89cc64439126a0ee083e51294da290202 |
| SHA256 | da20b170697dfd009bb9d4b60ef4636f201ce8bec5c9d4ce381e49ca22f9679e |
| SHA512 | 64692d20e269a6623f29b3c6211c75d7c1e2fee7ad16e7b20a5e487e80dc1a88d71168b73f0c228fee606a7fefad29f803d8f5c1a941f7e15fb5078277f5ed00 |
C:\Users\Admin\AppData\Local\Temp\hAMY.exe
| MD5 | 514eef531f7b0972b318be10fd4049cb |
| SHA1 | 7a1feff331f6ea803c22c1eb6a3452865c66c351 |
| SHA256 | ee9f1bf308cfc2c61dda6529c4775062c24fa614d6ab0bf8b43edda452075af3 |
| SHA512 | 8ba03b682c6233dd0fbac745ee21e3945f81cf96c2cfa78c8d7823642a7a80495ef08843613478ccecb33001484bb6c9a0eb86674bbff5212276f0da5b7b0e49 |
C:\Users\Admin\AppData\Local\Temp\ycQg.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\NEUG.exe
| MD5 | 5ee03e5d960020b8463025571c1b9869 |
| SHA1 | d1da3a72663d9ede5ba135b9ea4c1b845f9148ac |
| SHA256 | 0be56cc5ae4148ec91935ac9619e97609118d87f41d0d9c2e478daab9e8e7cb4 |
| SHA512 | b2772be262128277f39e510de9668c1de73524407518b8093a560498f278a39c428290c4d025e269ddfc265408054a11b9b33252e97c475cfe64eb9816fd8ca5 |
C:\Users\Admin\AppData\Local\Temp\YUoI.exe
| MD5 | bf2ce056a24d1052d9fdc78a09d7987d |
| SHA1 | 33725f79a421e3769e08fcc19d27d36c5d0dcf12 |
| SHA256 | 2622930db0d26d5916d1a08307d5f6ab2f52a3a58e6c64befcc72d5637404bb2 |
| SHA512 | c6d768ff6293e69d4ed89f536a30894f1798b6f80bc8e8eceb9a472366ea016201aca3a376ab809f71f9381b71d034b4be83730e1888b4033991bd981630c4b8 |
C:\Users\Admin\AppData\Local\Temp\QEoK.exe
| MD5 | 8974da46ce641304ccb515f46cc8f849 |
| SHA1 | 0c1a108c52a72774a71e0056f704057467486835 |
| SHA256 | 7f49b56eb323ed53468261725f0652d7e2c83db104acf31583067a787a0cdd10 |
| SHA512 | ebd5145b9123219eb36fed4cead81f5cd3d14f722d5f9a5efaead9839c2956f1692ffe33eb436dd5128437ecfeb73489aa1d9c89fad6446b4aac1b92afd7d6de |
C:\Users\Admin\AppData\Local\Temp\DssQ.ico
| MD5 | 5647ff3b5b2783a651f5b591c0405149 |
| SHA1 | 4af7969d82a8e97cf4e358fa791730892efe952b |
| SHA256 | 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db |
| SHA512 | cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a |
C:\Users\Admin\Pictures\RenameSelect.gif.exe
| MD5 | 6138c78b19fb869c4edd81cac303359b |
| SHA1 | b6a9db616f1e8840b0dfa345e2e6bbd34985016a |
| SHA256 | a8dcb4bc4663ef145aa4450fd8afbcdcf27e41e185b6796d41b9084004d59dfd |
| SHA512 | e4a715a317a3a865ffaaa665316cb575ddb981419292a7440c24d2b9bed241bbd2a77485f35c662155cd6d4f56e0bb59cf2a6a45f1547dec1819283e9dc34b1b |
C:\Users\Admin\AppData\Local\Temp\qEoI.exe
| MD5 | a9bb3a393e5ec08cf61630787ab4c334 |
| SHA1 | 044d95349b9eaf215537e0443000e644cab4e0d0 |
| SHA256 | 5d939971ebc2436380765f7b6a371f18ca3cbf5ed8c0e744e5dc8e1f928df988 |
| SHA512 | fca3aceff18b4001f591d57cf99b9f266dab1315a4e109736e79e54c8d37821357fd6e0a96f2dda73c9fd3bc9b3f64d9a5095cbfa65fa412d7e962a9b1f4ce6a |
C:\Users\Admin\AppData\Local\Temp\kYkW.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
C:\Users\Admin\AppData\Local\Temp\zyQUQcEI.bat
| MD5 | f291de2b1d4ac3c21f28f5b8e871af8b |
| SHA1 | f9933d8450c2e9aedb7926afa96ee5256036a327 |
| SHA256 | ff80207096f54c940fb1b019ff2b957a8ebc9640eaa2073f2d7e239094f72ff9 |
| SHA512 | 4574259107f5d39c37d8075b0f56537fdd0054c9ca3ac26937b9ede42073510117e30a6d6261c51f3dc47ebf58555d0b3213a0ba60cd43af8c8daadc5180dcca |
C:\Users\Admin\AppData\Local\Temp\SQEc.exe
| MD5 | 55de5caa756ab788fd3f0121e5459e84 |
| SHA1 | 413ed81c9b784099d3b722782d683c60b14f8330 |
| SHA256 | d5e35d70f2b4558d1bfc3e00d96afd5aa7395790b959326f3399aee5620b4294 |
| SHA512 | 544fce0c53de72270c35ca847fbaf422873816864b89834cfc881edb1cf19282b87e003eeb741da008d3a33f5cd64ccb66f85ea498381d9d498ddd9d590ebabe |
C:\Users\Admin\AppData\Local\Temp\bwIe.exe
| MD5 | f543943e8ae4433fa007eb4b80d9b466 |
| SHA1 | dde4e5c9edc051d648f50c67a0cae3d5d1b8c186 |
| SHA256 | 12c8f59be66f4ef332a212a22ebff5fa090f66b7b04186606065c8131763b825 |
| SHA512 | 0441334be57ffbd166d9970d16cabc8a21c1c88c9d36d211e7c908d6d883b76cab85ad73c08df4db6888cd576b650e29b9773938eb6938aa1a59591c178a23bc |
C:\Users\Admin\AppData\Local\Temp\FAkc.exe
| MD5 | 16be6dba980159f0a2d08dfbd7c639b7 |
| SHA1 | 995e722aafdbcb03701d40638369c569cabb4d7e |
| SHA256 | 5a311c9410ea34ed896318eeef4db5674622eab5038c2f4525f896cee9868853 |
| SHA512 | 23d36bec62d82cd1dd41f81a3655c7c52b98fbdc7520b04d6cd03056472458b69370babf5e3ff3d183626a31b9e970363c7250bced707fa31e62643d2a9cb471 |
C:\Users\Admin\AppData\Local\Temp\wOgMgQoc.bat
| MD5 | b5fc7526fcd7e41dffb4b1aaa41cf68d |
| SHA1 | e65a61b59ff6b6c5763f9e1d0405ecf730ff26b7 |
| SHA256 | 0d3554ba104f55e890aa4a63c349fc9b5c1d410718a4bbf14fdac292d908975f |
| SHA512 | 0319c8e2468e3c290655c54ef0995ddfec5568f348f54a9d17f432c0ccde307037948ebbcdbec43f5b4c0df7f09c2ba63aa4acfc4a2ecbe11914489ed1822d5a |
C:\Users\Admin\AppData\Local\Temp\bEki.exe
| MD5 | 8930cacbc1d774f921658967bf23f389 |
| SHA1 | c266d621e8877e1ed34e2ce384a25ebf8d4ab942 |
| SHA256 | 9b0823dbc545c3066f24cb972b5bb76dee878b4b14682987243c650c50e5b0c0 |
| SHA512 | bfbd20593c93b03819e0350e846743dd9af435f9fce5e7ec3b0e7447c4386ef076622a425da022e3f64badddaa7183005d0983a0a7331f1318cfeaaebee74ecd |
C:\Users\Admin\AppData\Local\Temp\HYsq.exe
| MD5 | df1da2d4f4fc1811fc1ba005ab79f804 |
| SHA1 | 95c5969bc8ea2b21e00d0a543069e43377ddc285 |
| SHA256 | c02eb2c3069a78b32818210683d2cb6014783f041f905d9dfe820fe42d90f848 |
| SHA512 | d7a225f74711b4bde64bedbcdf8dc32e9f62282a277f513a6a68b5a8a1445e439736f00c85496abf3acf1863b2b74c2b51c182c72ab85157686a5737f114c4cb |
C:\Users\Admin\AppData\Local\Temp\looo.exe
| MD5 | 4f4e54c9ee6c3f9ae2b7d997d45c07e9 |
| SHA1 | 858d12c74484a6dfa61579d8b36972638e8a219e |
| SHA256 | bc3d0bbc48c4db37e531060c20b4f4cf93ebf077852118acb1bdde25ef0b8112 |
| SHA512 | 125ff693cf6903d2288dc755c3066eb38788c2865e9be05f239acad43da4ef0c4d0023cc4fd0c1937e8d3a20b634c517b9c388ee9d75001399bb17227f7e8946 |
C:\Users\Admin\AppData\Local\Temp\yOAgwwMM.bat
| MD5 | 011cec48903630e1752c409be7a12b65 |
| SHA1 | 3d549cf00b10b780638388affbc7d179942ad1d4 |
| SHA256 | c83b0d4a0f302ff3f2bd0bc83dc82fab9255d0826c108bae4d74fa7b5d6a46e3 |
| SHA512 | 72daddb22e09b11c67a9116b8f68e870dfd175cb9b0d2c8f195432c72d71e8cb1b217ba7d03fbe42c92264668ee1ed39d3eda428b8b8540a512cfae02ff50c59 |
C:\Users\Admin\AppData\Local\Temp\VoQe.exe
| MD5 | c4da48bd58dd498657125cf6f0bbce1e |
| SHA1 | 89121380ad161586b775433e6ec9d29bcd3aeca3 |
| SHA256 | 24fdbc8dfab137031f89506ef114f99cd58089ae5d98aabf3aca8e9ccf9ecc63 |
| SHA512 | 1cf2648ca9060a577a7ce72860907f3bf995e79b0a145415a7167023148f21ebc1e108a3f1eabc9398693b84cadae27161482c4d1cadc21b6d5313aeb6f5e10b |
C:\Users\Admin\AppData\Local\Temp\jEIE.exe
| MD5 | 5c133db2ddffa3aad1ff57d28b1571f7 |
| SHA1 | abda1edf25ebf24ebdfe2de8feff10d1bd6e47e5 |
| SHA256 | 8c8f1395541817c8a69b5eef6389aeaf1c0191c416490e3e4d9e8b738e922816 |
| SHA512 | 6eb08a17d828b9ba28645727ecdbb93640b20f0664c4553730fb8fbae7b958caa5bb1919c80903b04dfbba1299da319266643e24e7f1a0362b49bac521804e30 |
C:\Users\Admin\AppData\Local\Temp\tkAowUgk.bat
| MD5 | 906910b1b80bf2c20692bacb08fb4a0d |
| SHA1 | 571ab0d0c3ec30b6f1768f93fb89688575aefed7 |
| SHA256 | d2b444e2f4758ef8b8215c7803c61bd0c5cb916df81d4e5bc7ba8001b3319cf5 |
| SHA512 | 11d4166c3e0a9b2a63457bc02bedf7484edac467d584308071390753ba10467110f3e3b6818f14f48839f028793ccde6699e8ee4e0344aa3993c0dffbc64fef2 |
C:\Users\Admin\AppData\Local\Temp\sEwQ.exe
| MD5 | 41c9d3bfad3ec361f3c2d601150e4177 |
| SHA1 | f57e77a3d831a0c1ddb887a824bd2f9b3e4c1d9c |
| SHA256 | b6757aa17883248401eb08fb9666306689fd73590bc4b391b380910e8a2424b7 |
| SHA512 | 9a40ddd1ed6232144762114d7ec9851851e403f6b0d84aa208fe21b30b680a9d7c6e46f327a701585cae937d2e5e05406a03a4631e0414d83af4e26da5f5c430 |
C:\Users\Admin\AppData\Local\Temp\qwkE.exe
| MD5 | cbe918d8a0c10c08140e5fe713f0fa71 |
| SHA1 | 63398047a233f242489063ade1edde3d35410246 |
| SHA256 | 677b5512c76dbfa11237b96e6da5a7b96de5d7f9c0aa1c2e056678b434b9f7d1 |
| SHA512 | 7a4ff5956adb644b9d762e7efdd6e4606be7a915e515fa3f6e39e111dfe3c1f0c635ba0c1c8bf3640fb7b2d7e2eda1e5da6f7b4119425123efac4da6c539d5ef |
C:\Users\Admin\AppData\Local\Temp\gsEg.exe
| MD5 | d12767e506df5817526d777068b94bd3 |
| SHA1 | 433ca79b73f53e02e02f66378520a97708688021 |
| SHA256 | a18cbe4cc072e6f1ad871777ba440a6d35c3c150a4f85ec3ad993871fbecbdb2 |
| SHA512 | fb6ae03238810c565378fbc075a470036ff17dc699d759d871b622e93196eff72cb1376c19161443affc39eed85060e778459266c868768a2e5d2288e67ee649 |
C:\Users\Admin\AppData\Local\Temp\ZqQQMMAE.bat
| MD5 | 0ff1657833f910438e9ae59c08aba1bf |
| SHA1 | 16f494cbc26ae110d67af3a040ce85161089f91c |
| SHA256 | ae454fedb9731bd2f4af40bce012072a7e8083c4bb5674de7e71bb3e71c5670d |
| SHA512 | fb9375694a776651bdda6575d20a0fd30fe62289e78300311892778d8ad94576d5a2c1537284ddaffe587ba6d9289bb75fd12a0c9cfdf2c679189424dfdbd562 |
C:\Users\Admin\AppData\Local\Temp\BQIi.exe
| MD5 | 559664251deb153acd1c93be463165f2 |
| SHA1 | edffc5ac949e9b8c34c456a479446dd6f1e29041 |
| SHA256 | da18c5a533c4ace82ceb609112bc43ad64c7819b653badc2b60055822bc13e46 |
| SHA512 | 2ac2d03e2e2a330cc1299f8850629b41ccf3307d488892d89c7d7392726f8d451612ecb07c6689350930ab53eac063a254ae7bd6167949a716e2e80bd17d30e8 |
C:\Users\Admin\AppData\Local\Temp\GAwc.exe
| MD5 | 7b666cf7386d9fcf817c2fb1ae5be89a |
| SHA1 | e74e61754f35aefad4e7c53253f9246e6c037b2f |
| SHA256 | e6476813160f2570cb93919f5ff41d34398f60bb4e9d5827e74f04a5837377b4 |
| SHA512 | c92056b3fd706e659d8652c38941a3c43f0f1ad82332e9c3e0be9eb6a44d12b7dd192f77a03fe3a59ffb4e0f4419c84640b382efd252d10d347ecf78e96d77b9 |
C:\Users\Admin\AppData\Local\Temp\OEsc.exe
| MD5 | 834f6f91b6e86eb7d91ca0d3a98c2a40 |
| SHA1 | aedcb2056bfa1809c6028f4dd25be1fbd402e00c |
| SHA256 | c79cae4d901a63a7a2358917e61bb4f34684d896e8aac075f3761431f5c1d059 |
| SHA512 | 9c887169f9e80be47c50944aaecd67cb690636963d331d2a50bbeaf617a818153aff73fe7bf62862ebe0a1f17d487bb6370bac4893e5ef2a12d4d48d97c1e4ff |
C:\Users\Admin\AppData\Local\Temp\AwkQ.exe
| MD5 | c81a4820de0e4639f2dfd4ce9f80cb6e |
| SHA1 | cc4e57c8a0fcf86398458e88c30f5e85f8cee63f |
| SHA256 | 1f3d95a3bede62e55b702a779b38bf905995e583adf4a50697386890d980b0be |
| SHA512 | 14d5813084fc4985730732fdfb1990b2847557d5e33aa41d3544e7926e104f6864f3007dcd5040ba4896ecea64cd2dd768c3b63d33d7002e0b0e6e0eb35acd08 |
C:\Users\Admin\AppData\Local\Temp\wuoEcMUg.bat
| MD5 | 27024344c0d22b7e36510e5a33bef226 |
| SHA1 | 607674c0d480ca57100202bcd33cec1bfbc3d9b9 |
| SHA256 | f4ac21a4754948a40df41acf5160927c59c727cf8042e470cd51d7ba8735bfbc |
| SHA512 | d5b6976a767e981f7a54d736cc0c4452749b3fca6a5060a092e349782649d4154572b66d6771af91be8875d6cf116f8c24f6e384185f16eaaf35206fd3acff1d |
C:\Users\Admin\AppData\Local\Temp\CUsy.exe
| MD5 | 8b155eb03e9a92a01d378ee2fc9a50b9 |
| SHA1 | cd7ed84944f70265f6f0ebdbae26b85b7de9b469 |
| SHA256 | 0675668ed4eaff635ff7847469f793d53682c5afb5ff338bc240ecae97d44e51 |
| SHA512 | f198bb79be08c144536560cb54c12cf619bdf6896cff0c8af6acd02c8179fe60f142c788db2361008f2bc5fe8380ed6d643784a5a9de5e21043b48f15e73afd9 |
C:\Users\Admin\AppData\Local\Temp\qEcS.exe
| MD5 | eb6ec15c1f5b31abab9f361a871af018 |
| SHA1 | 9bbbd8e4197094178c01e59318240d33c4dcea91 |
| SHA256 | f1e2cda271ee80ad297ece65d2cff68dca5bfce5766effa373aa68c3ebe6876f |
| SHA512 | f6e119d3506e65f3a683c0e7357894ae7e6151c697e368f44d06611b81212434ab82bef35c6eaa6678dd55e5fad7f21df17a6552d399d5deea43e1cc28e21033 |
C:\Users\Admin\AppData\Local\Temp\KgsE.exe
| MD5 | 734a651b6437e9062dad4889f921c976 |
| SHA1 | c67401c70f1f8d7c447fe3452db7f932515dfa28 |
| SHA256 | f47891d39ec93fc9d7c11370674dc4388caa39306a7e2994d3a7e40ff19af3be |
| SHA512 | 2bed2e3f3077d5a612801397de9c4a3ac4bd10403707b209ee175ce4aaa16a8dd91c248b73c5473108235a5dbf51e0c102e718bbefefab2fd9ca92f7a163117a |
C:\Users\Admin\AppData\Local\Temp\UUgYkEMY.bat
| MD5 | 64091e5f933d9ef7255357aa01cd3d38 |
| SHA1 | 53491f3eb1b8b31c2dba1604ac7529dff79671f7 |
| SHA256 | e8db3e800b47b49ce1054520cbf588978305dd273b34e2562e87895b6207d2de |
| SHA512 | f00ccaaa0235e651f586f1ae3eed19d0ec5682ec65fd08ec6434da6105d3b5cddde5e1c284f03854e4e07eee4f0614125994f1c5063e5d5204935ad2a5676ac3 |
C:\Users\Admin\AppData\Local\Temp\wkQE.exe
| MD5 | 2a37ab35cf22a93254673ca37ac374d4 |
| SHA1 | 5fc4efdf156d6d88696f376b24d844ca35390123 |
| SHA256 | 52b88bcc551a5b2ebf68df15500f11daf4ca592dbe4e216e40ccca9817155053 |
| SHA512 | bb7c23ed1838619759111480f4141824a8ed494034b4fb76d0a6d131ccacfce8c083080aac3d6a06679867e9cf2511d86ebaebcb42669a722dcd11843de20917 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe
| MD5 | a417740e7aa08ff845521266c75ca88c |
| SHA1 | 5199b442493b24977cbe4c5bfaffd839d060b401 |
| SHA256 | 1f2baf733157112419acbdc4ccc3eb0a819d0ae8b8fd437d91c7f1098da7b66c |
| SHA512 | 5a5a2d709301556f5e2647d3844c2f7da324276ef9b9a29c804678639e5b66bc5b26b2e62e52dc1318022e4005919b4ad2a1728c30b6e29214ee4b45045c8482 |
C:\Users\Admin\AppData\Local\Temp\BYoG.exe
| MD5 | 472938789b2276d1d97e7f1d6a65a79a |
| SHA1 | cdc16c282bb58558d31cc7b86747ac067695fa7f |
| SHA256 | 6a471933acf6e08474aaaa1cc6652b7eed0a8c69ed7f4bc5444d979455efc695 |
| SHA512 | b837743ebeee1d115f3be9d70daf00eaacba6fa5cc492275e54c59d9f74a264c9250937213e033415853e4709b2e7bbecd0d72cf0018def255f1df2e02bf813e |
C:\Users\Admin\AppData\Local\Temp\zcswsQsM.bat
| MD5 | 129296df25d709b812a60619fa2fa37e |
| SHA1 | e0043d12872b4c0cec681c5911a16ee0ee71aa47 |
| SHA256 | e1b3719723def585bd974fec6b07d83f1bb3b7eac1c117bceae184628887f24a |
| SHA512 | 88551bfedef7153d6a6a84eaf743b9b623274d4cdf33263c31b98494c8debc83fc6497f45c854d33c2eb634f9cc4a1b1d3b7bf29267ea211c3830597cb344c22 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe
| MD5 | 9ec28588e8680a528e6ca343ef2fc828 |
| SHA1 | b2979f9ff03a3565487d53a91a050b76ac011255 |
| SHA256 | a48fcdf992f670bf98d37a1f04fff907240086009b34a902d0890f0ca84379f3 |
| SHA512 | 41a01ac35a81af1b6a531ac71a6cab390305ae00a54aa9be947d867f56dc18119225740eb5d166ca8fc55c447f74e82518304ed5581ada78ed4554037de446ae |
C:\Users\Admin\AppData\Local\Temp\oQsS.exe
| MD5 | 7ff8c63ad53babcc8758f175b2cb3ce8 |
| SHA1 | ed8d32e142e954000e8724cfd458b9ae1c36d313 |
| SHA256 | 7451e21a0c428addd2486c2595027881ecdf3c676bd23614cb4df9cccbf0f006 |
| SHA512 | 7c2ad14a12b84a3c90e48610fd866cfcb00bde7a1575e27d40ce4be524a2a7bd16f5e60bad2a7ac43ce334fffad776b7adf95c30757a28386450d23bc52c3c74 |
C:\Users\Admin\AppData\Local\Temp\sukAYsYo.bat
| MD5 | 9ebc600d365d85441efcd2a7b868809c |
| SHA1 | 8fa302ca5fed84440e78be93835b208c30f3e7aa |
| SHA256 | 5539f4e1cec295c3f705ee456a1beb833f8cddb9e8c9a960e70ac3c3bf03f8e2 |
| SHA512 | cc528fa8f71119c2f9baabd8783ca6f99ea59d2f14fc371794896768e29654666603326cfcd9619261097a5612b08dbcb05bc72376bc889f0f1b1942492798a2 |
C:\Users\Admin\AppData\Local\Temp\GQQM.exe
| MD5 | b5ce535123245e9c826d57610a5ddfca |
| SHA1 | 4e1af3c5600599ee64c203fa950b4b5bf2fec84c |
| SHA256 | 5de735656baf6081785d558f974fbf215e8d05f20db8836ce556c578a9556d47 |
| SHA512 | cf1029c6fccd2ae71559ba613c0406758cab81add09adae6f3206ed76edd1cea5f131e2ed11941a61ed9086c7d0374501a7b57922eb1dd47b2116a9e962b90f4 |
C:\Users\Admin\AppData\Local\Temp\oYsW.exe
| MD5 | 2a298e76a70dc36983bf94c3f267c9b7 |
| SHA1 | 2efa2536e80ae466248349eb170dc8c82b7d190a |
| SHA256 | e38f6d01bb5ebfb3adcd3995b46f0e36e53d0f1d8fa927d38ed3889ab2d18fa1 |
| SHA512 | 7797392fd1181fc7c64062fc23c69a1bcd4b652f012b762e24df065fd0c7ea33caf1ffde504a2d2f39d39b07c39a53b1277f5f76c273172d9535aca28615b5b5 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe
| MD5 | 5336955467f078854f8c04cfedb757d6 |
| SHA1 | ba7b6fee8a47ba58011e000540b4913fecd96b60 |
| SHA256 | 396a4e9686a0b861798f5b689411332280cd6b1d4687ed17d743b83245c58064 |
| SHA512 | 226f9a7eedf3f46b96a6ad9b1befb29837c03524988ac14c6b067aebe809cd2a4545be4a5adc0d99ca40bf36458cd780243e4ab771ebabab90f686a077245815 |
C:\Users\Admin\AppData\Local\Temp\msEUEYgU.bat
| MD5 | fa0b3fb5b78b342110ca0076a2fa7088 |
| SHA1 | 3e5d05064c0ed35606d122014573ae3e7041ade9 |
| SHA256 | 39e88c174372442281073cb1e16c151250185f951363dcfb5e6b819b7bf3a1f8 |
| SHA512 | 21506c60c5f601c5653a78c6794653f2857916e05ce824273724f774103b7cb5b6cc0d00040a78d75bb18cd5cf3030b0824e856b1a36cf483f4aa9a8cb4ad9ef |
C:\Users\Admin\AppData\Local\Temp\WcAQ.exe
| MD5 | 0b3dde884a09428b7fecc307a4abff19 |
| SHA1 | 10a094d86ceb22c6e8a33b09cb5f61fdc4503f76 |
| SHA256 | d0095d8d4d0867f8a76903ef86a2dd4a73f21bd51af9edac0c3d8b7ed3d8faee |
| SHA512 | 4fa33520319b92f1085da0f04c9050a7ded33e86b7f695e90a999f6e7d2a017d8db4f8fdac9290e732c87ecf8ed5f9eaf98ba2a7f1e8c29a401d3f8f26596170 |
C:\Users\Admin\AppData\Local\Temp\pIQO.exe
| MD5 | 9fe05208a859cbbe0e75eef770e1f244 |
| SHA1 | d433107e497255dc87fbcf3432c0088d4f28b8a3 |
| SHA256 | d9023f388cb456a9bc96b344ffe4ba954c7406477ea959ea7fed9563937dd6d5 |
| SHA512 | 3a4ec88b412da175c8d45981448f2130b96f54fcb8a468b5f27ae08bb24dd4757634c71448bde007a855f1db2bf641d993baf7e3876a7a6412ae195f9933e97b |
C:\Users\Admin\AppData\Local\Temp\DMgK.exe
| MD5 | 5d119f9931b55a865121d81f06d60ab5 |
| SHA1 | 09431eb98269f03d55bfa2b480c86fba4e94bd2e |
| SHA256 | 57ed6697866c2d836beefed98528fb6266ec5b638c729ccc10e31977719647fb |
| SHA512 | 1365a916b596dd8155dd38aff7a32d47468a64dd7f54d7cd38d933d36dd5e0a77b59feb14b0e1c663d883a2bad527d404ccee6e161f5cc7b158856425e3abc35 |
C:\Users\Admin\AppData\Local\Temp\zMQMcMIQ.bat
| MD5 | 75169cbe05bbbe328deb5a6bda2bead7 |
| SHA1 | b3e5c8a6cadeab7d005e3c4ff103296a448ee039 |
| SHA256 | 228e5aac98f144a83a22cbacb344025e4d83ff7060959552649e64af82f5f86f |
| SHA512 | bc4c4d6ac94004d8e33f390b18e50ef262ad9d7059e5fd65ad3d9583514a0d0c265d06b2fb9ee196aa2bdddf85955ef523c74e02a2fe2d54bd4ad39138340f5f |
C:\Users\Admin\AppData\Local\Temp\EYsg.exe
| MD5 | 8ea4356a72bb6c364815df20fbfdcaff |
| SHA1 | 53d490d79504dc4685e9bb81dbeace8c3c5bdb52 |
| SHA256 | 6c5b676fc647b9233bae817428fecf75b03352b238cbaaae07a04c7090ceacc8 |
| SHA512 | 7d008a292da0ac606ef43cdcaaa97aaddf005575d83375a6104938d1f33e95609e34f6bbe28bb100854f9d7fbd24d3651586bc89a3500a481219153355f52dc7 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
| MD5 | ce2d82d3832ed23b4e199c955f770cc0 |
| SHA1 | cff03eef08f6717537a41a92e46968279eb60c83 |
| SHA256 | 3cffeef5221c0e5142f9cd20c9e97d2afd6babf748d914e8026a672775e851f8 |
| SHA512 | ed414b516757af4bd136899db0d725ef08b02b0b51c9c92349993fd0b1ead927c240a4a2189353c645e5b7c61b3c0ac8659247357b57e90a733c86d8eee7aaca |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe
| MD5 | 677bc379a5592f28817be777768def20 |
| SHA1 | e21454c791738b9c8967ed8c1f6badd6816fb834 |
| SHA256 | 450722732ada1f265078e46ab410281d2f75cf3fedac10b42cac76d3217dd64b |
| SHA512 | b4e8ae98d6143e3272a66f710b0be16fbb4aa95229556306a463e2bb27fe0712bf0e171325999436a3394a3dd31c5cfc97381f2d23517f2f20a78942260cb1e2 |
C:\Users\Admin\AppData\Local\Temp\rYkYYsMA.bat
| MD5 | 3dc538d0107baaaae8d2d26816d83111 |
| SHA1 | db19183d21f693db6a58177a3e83bbe1188defc9 |
| SHA256 | d6d8d7f7c7c4450487b1b88a43250d7b33c4005ec2ce101db4324b824f9c6369 |
| SHA512 | 6ad6f10213e975f7b04222dac544c4879f0e5a5ad53cf6cda735e740c04b9183898bd02b71361fce1eca40075aca589b1001cc9f27d7521308c7fc3c67d58c39 |
C:\Users\Admin\AppData\Local\Temp\Tccg.exe
| MD5 | 06141c6ddbfea64b6ae791c7698be65b |
| SHA1 | 8fe3a3cc9dce5a63ea3abf5b537e59be16ae5b5e |
| SHA256 | 280a9a60ee88ee6dd80f3ff561ebd38b2f960f9a53dd908527c4e79e68c82fa4 |
| SHA512 | 465a10cec2977a813c702d3b6c495b1ae3338d917a17a95dc998d87ec9704345ed70e5056bb97005ac01680b3bc40778bc8810e2676013741db1b317b2973809 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe
| MD5 | 77b6c256d2d05f2ee19ddec4113e81b7 |
| SHA1 | 2dd2f3a4ff75273bef8c60ad9e62ba58d5acc81e |
| SHA256 | c5c9476fc5da76204389ae102036ae206c0784c107fdf01916c8e16ba2aca5a4 |
| SHA512 | 09952259b0ab3d5269202886f262830513badaa252c8ed740928971adf67d79b4dac904c28027910051cf79fec54422f2957a1954d5302f9373a1dbde89f2887 |
C:\Users\Admin\AppData\Local\Temp\PYQq.exe
| MD5 | 256a04eb02afc41c4e42e20d85524dde |
| SHA1 | afca85ff7a9c4a694288073c7e4e839c2a3b59a9 |
| SHA256 | d264f7fee137c37928d9543b6c42c37d71d701d6c30272f90a5a33ef3892a4b8 |
| SHA512 | 3fbeb566950e08ee60b794d60f13e4a2d881951e0247f27e0e16f9fc12652cdf92a93af3acb506587bf49536229e13f45c18dd50f240a0976417ead889786ecc |
C:\Users\Admin\AppData\Local\Temp\KUQIsYkE.bat
| MD5 | def2a0711a817a736183b6fcec91a3ee |
| SHA1 | 58834cc24a18fabcbe7efa6b74e41a729a8f2b45 |
| SHA256 | 28dda8c7d7b97754d3c7f8eef0c44c9823910b2566d2c5a1f01c933187dc0495 |
| SHA512 | 32c42d64eef168f8ead738325a6410e587ae23997375b03aab9ab4ac0fef76f203eebc572f068759980af38fed9d3494e8d050518fa51deaee4fada6bc31075e |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe
| MD5 | abe57cfef418a6c80757ba7a563d3d98 |
| SHA1 | a7ddc71b0893066707649e26789c85e727826e24 |
| SHA256 | 068f03f7e3ad0dbbd1b52a90be3b2cec94529799398e7012f4e66e64978035a5 |
| SHA512 | af1a837dcc076b7098b1fd3994d9b924884c20c95a7fdd85e629272da6d1d02a46eacc16517a1a7b54ffcfdabce2932ec9b55ff9124810d8721c3f4177dc449e |
C:\Users\Admin\AppData\Local\Temp\NgsC.exe
| MD5 | 497583a89f3e7d204fa1d29821f5d58c |
| SHA1 | 3f09ac340e065ad8c11741f00d670375589aa100 |
| SHA256 | a2b2784d3f376c6a7b9d41d16bc9ec4606cc1e935b77878cf265dc696075371a |
| SHA512 | a06d55af24a1fcb753f80ea19a380606ed4fec82cfe1b7d19b11b6a8045c5575858ab80e14cdf045fe76d4f38969a8c350a0ed70fd67229a70c3f5aab8b86fab |
C:\Users\Admin\AppData\Local\Temp\mcgQ.exe
| MD5 | ff64e0ae87ca287dd81393ddcab3125e |
| SHA1 | 9ab35e40af47bc50003609875b001e6ae6939f29 |
| SHA256 | be19eafa702c19587a7bbec64b2cf38817e75f6127327846644ebbdae29d0897 |
| SHA512 | 36648f9f11f94dff172e445cadd0973c59b6e27ce24fb13bfa62594a8c394ac76212cb98e4a3d4a0aa22041c0448e3ad079f6bb31984eaab029b637e94bf8858 |
C:\Users\Admin\AppData\Local\Temp\WgUa.exe
| MD5 | feab7ec28f64c57df18f76ff403a9155 |
| SHA1 | 752080bb5442f7c116871b82bae61c1dd3f2f0ba |
| SHA256 | d05359e5d83de95b408101427a5b993c3d30d8320c29ca08f1ee15a2b0e68e60 |
| SHA512 | be57bab647f7c95fb3351b74b95899816c5609e1438609c25be2575a0687a31567472c569a74f8fea1fb5c4aa8c2025fac6ed3d5ffee8d89bd1743c5e7949819 |
C:\Users\Admin\AppData\Local\Temp\rsEMoMwI.bat
| MD5 | 72ff2e443b895a62bd0c9316d22ce6d4 |
| SHA1 | 2fbf3eb319688960eaf53ccecaf112e58ee41c85 |
| SHA256 | 0430fd6bf099dde24fd4bc91f27debfcf0ab38acce09da75074ac626379b518e |
| SHA512 | a7ce5f4eb48cdd68330e2929eb9ebba2fc9e0156111aeb29ea7ac1a688536d9a22e08ad250a912720f3fc8d42068a48603685f50b9c5627da20091f5822585fc |
C:\Users\Admin\AppData\Local\Temp\IwAy.exe
| MD5 | ce4fb513c614e9f62a572f7e626a10ed |
| SHA1 | 9772619872c645453b8ae9194081e3846e2c64b3 |
| SHA256 | 298a5b5c5f4e8a47e90732ffb5b6044ec780d466d89314e03f5474c5fb293909 |
| SHA512 | c9d64a6b3d7bb03eae0a4a14f88b03816c8b1513045891e8e2158583b6f5e1ec4dd1f97b5dc4daf36ea662f67ddd2f38724f19260af0c13ee87307ee624dd85c |
C:\Users\Admin\AppData\Local\Temp\HwYY.exe
| MD5 | 256212d1c101702d944f6934fa4b5e88 |
| SHA1 | 2f5ca5879854ab2b71eca0e21eeb56ab2d57647e |
| SHA256 | a61abebc6bdb7bca98dc9fd88ae7da39638c80589af18510120ec6be0180a1bd |
| SHA512 | 9511872bab21972ec16085028b225c2f2c6d927cc3644f256f9c96ad0a4b1ffc2b3ab0b5f5e9cbf5afb0c6c7e487fb829b5b369677b64c6feabe3f9a64e754c7 |
C:\Users\Admin\AppData\Local\Temp\mgEq.exe
| MD5 | c91ba865c5524d39372a78b04aac3fa4 |
| SHA1 | 9441e30fc9b8c0f60d6de8e8cbde801247c02be9 |
| SHA256 | 279b45e2fbe5afd466bada1fc7edf834c57ce43906cd91ae98ff9763edfe61a7 |
| SHA512 | 0bb1a4fcb7058c2d9d1920b8a3f230f9a3f82ca9acbce65740fd92804315d29b54422d63d8f2001835fed9ba6ffa73550f838d1612c068930a5dba2b384bf56e |
C:\Users\Admin\AppData\Local\Temp\SSgoEUcI.bat
| MD5 | 7194f4001fa26c34029ce3e3d86532b5 |
| SHA1 | d4e1981c96068a9b9e5f831478291f4f0784c71d |
| SHA256 | f05a8934348903942e3393025eb9a3ee5e8ccea2c8f58575731482311059a1e1 |
| SHA512 | a81ad8cfe46a0061d9809b29ec54c9518b5aeae5103f08f7d7ac0ee1f4d7f2a30fa7c8e4f49c6b69d917a7040c3521bbefa877262c0b064fe48c8b20f6c505e6 |
C:\Users\Admin\AppData\Local\Temp\jKgAkwIk.bat
| MD5 | fa18280255309c8b77e919ec2f951f2b |
| SHA1 | a86e8649da4f60a00872d465a6f32e92ae3d07c7 |
| SHA256 | cd1ab41e85e92d4b3c766a81988e938f3b078a5121f7f69904ec99feca03efbf |
| SHA512 | a06fcff10b841d96e8e963bae268e4247b23c455b077919bcee3300ad2e289c6a2e19711c949b29d05b526c9299552d6dfb91ddc8f017aab505d231a50231fb0 |
C:\Users\Admin\AppData\Local\Temp\DoQc.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\VIYq.exe
| MD5 | 976f8f31c5bc3b3214bfcecf42908e15 |
| SHA1 | bbdf0bb41793642973c893d42addbec4d597809e |
| SHA256 | f9a9c44e036e0e8791dbae129522c521a2ae8539a08799dbe8b8f1f4912c40ba |
| SHA512 | 0d247f877c04f7961c767709aba4ae5d54a064c4ae41d8423acb3f837be255c3caac0ff0ea7b5871c017ae82ab0e9e1fba112c8110899741212d5f1e346bcb7e |
C:\Users\Admin\AppData\Local\Temp\qAMI.exe
| MD5 | beabcae923b2a3e7dd5821ec687f1253 |
| SHA1 | 301607a23d578b8f59f434daa610148270873054 |
| SHA256 | 680bf058f5bfd787be6e7103fcb4656e344d27f9194f0540513e6ecedde20d06 |
| SHA512 | cff4e0d521942f0efcb5b9aeb173359356d03357456268e9ba5788183f0d23db5c6049d2831a39abf81c14239426bf60ab2800b5f795521da9b20ce1074d7407 |
C:\Users\Admin\AppData\Local\Temp\QiskIMoo.bat
| MD5 | a6f6c0ea8b3a4f5560d4097c6664bea6 |
| SHA1 | 7846cdd61ba79b401e821cc40758fb06af489ce0 |
| SHA256 | 049760814019a01b7c046e32d99c90ad18ae76174ba00c12c99c0bb86f86ff24 |
| SHA512 | c6fca9538d3908a11f9fea66598fb2d84e9a2d989aae9af8892a601d17f741dc4c3e31cd3e6174723132c7ca8e47e75680438951108f772e717d095e1aa541c5 |
C:\Users\Admin\AppData\Local\Temp\YYwq.exe
| MD5 | ae5b34b6d83ac824458ec5e139d2db2d |
| SHA1 | d108efe7fa413e53bf3ae1f4cb557a95485a7419 |
| SHA256 | 1f33dc3e05d82ee6e23539597db7fd8f2dac76185cacf0b0be4f16a5b7299ad3 |
| SHA512 | 729902bc47239fb3a85c8c938c759ae327696b2abcf404c5642ea94dbf02b05d57e272de991e6c13fba654ff318da9d8154c1614a3ee01dbcacb15d011ef77c4 |
C:\Users\Admin\AppData\Local\Temp\Jgss.exe
| MD5 | 75e45381b8cdddc6c37609591530baa7 |
| SHA1 | f93cf52b618b97226d17581de9eb352eab2ff650 |
| SHA256 | da7bf1e3c901a2aa09c116c60aa9da4d178d214c3047b08d158d3b55198186c5 |
| SHA512 | 9539210e044394e04e23df25b2438efbedbc68ea4ab4f4703b55e92f9a8f00e5111730497755e65b5327bff82d1edb543682f7e8218a5208ee1fcd946db22624 |
C:\Users\Admin\AppData\Local\Temp\eIck.exe
| MD5 | e61f0b8cdff50816ed565599de97c85e |
| SHA1 | bfc5101e98c7568b43ad15b35dba11f2a65c2e8a |
| SHA256 | 7848a1b1a5dba9664abbb30a77ff0c9e888e4d2ec6edbf09466fed65d8d077bf |
| SHA512 | 842bd0922e77a88192dc33b2b73d50d2eca46dfbb66f97260a4bab07ff8e5cff13a9f9506f3fe15bc5ad4426c318b5b3583e418fa17659d1363c44494d597e9c |
C:\Users\Admin\AppData\Local\Temp\MYow.exe
| MD5 | 9b045ad6a4577e8a70d36943db498b1c |
| SHA1 | 96533fdb087909a9833337479c077c1101db5da8 |
| SHA256 | 1d0b73a532b4ac332ef1d3ad6bdb9fb86e06d89dc380b13fd4e5be29005381e1 |
| SHA512 | a5fa8edf38c8913c89468d493651ac95d3696588464abddae882dfa95af1f9be0001431d278d8e90b7deb19dd7d71c7944d038f7a8fce4ebee22e69f1ab23873 |
C:\Users\Admin\AppData\Local\Temp\sQUy.exe
| MD5 | adab404eddc68b3dfc77dbf735852d18 |
| SHA1 | 534c48ff9e2402774ce1e4c1a694b6f23ac359b3 |
| SHA256 | cba671a6c952281ea5e9c789aad0ede866f65bff85aa65fda34c1c958a80ef3e |
| SHA512 | ec4f415ee3f4f77b05c1a753216ac477d93e777362e8a1b3025a33e348feb173555260a4e0db3f088dd587f2abb8b913eb5718569ebc3edfb062d68fdb1ddaee |
C:\Users\Admin\AppData\Local\Temp\LYIi.exe
| MD5 | e2d8d1ba75e366a1ec2ded73b62987de |
| SHA1 | a29ec7d2e7568897284d73eafda2a495c41ae605 |
| SHA256 | 753e1d22c2be89f3007d5e0dad659e2ba5e93fda07d0e8b048cd9dbdca994ef7 |
| SHA512 | 2d2fd3241db7e5849bfb9a75d461fda268f8fe7bc384fe532355e5779e57987d337485f618f06c19448a4dbf7b0522762b57d0ab2d9b4b2fd7f11b64be2ef39a |
C:\Users\Admin\AppData\Local\Temp\Lcsi.exe
| MD5 | aa18300887748d2aa7a2bb8c8f3a4cf8 |
| SHA1 | 44a830983823a31f4fe361060162ed543957d772 |
| SHA256 | d63d938340859e55f1b09b42e0fd595812b6169db8329def112955ae656096a5 |
| SHA512 | d107310749e474fdcada403af945ce6dbfb4198e472f6168237aa7dd73d7e3ea30594b8b177bac86fbafc307034b0dca655417401811a47837d0f014d7c44700 |
C:\Users\Admin\AppData\Local\Temp\qAkQ.exe
| MD5 | 855a534e2387205d762d59d46161432a |
| SHA1 | 6a907e5f52b2b7af57e5ada17772b2101f578757 |
| SHA256 | 0ded4febe7607f560dccdb7d3dc19ba058863359b94f7b9abe91d0f85d4a1905 |
| SHA512 | aed5450015fd0bbdfec72bc0484d53aae91d5597ce5a8fc9e9d0a07239ec70ee02cac98726956465886e25ce549c12b925f1c3b9bf7e452e2748255b60996bb5 |
C:\Users\Admin\AppData\Local\Temp\WMAc.exe
| MD5 | 35e478ab51830d6f2644f02cf98918a6 |
| SHA1 | 95cc8bb307b1752d6f2a7f0b60f4690bc1512893 |
| SHA256 | 3ca996678f2c669b7a5e8ccf35a65babbdd583b3c5f438df09bc23c7fd6ddfd5 |
| SHA512 | d980b1c2ba6ff77ec46587ee42354149008bdb637ef6fa5226daa3f5c236f90b2d8bf8001d6387cbbba5eb99919e72e730410fdd0d906c92ddbdc3715fd0fb8c |
C:\Users\Admin\AppData\Local\Temp\GqAoYUkc.bat
| MD5 | d45cb05d6ba3e4f0c266b8cd1c7bc004 |
| SHA1 | 9b3906ce22e43d48ee49d77e5f048080ac2dc028 |
| SHA256 | 877adf24c362e707cdb02ef9d8f9c56e2ca3b47bbf2a9205fd7a3e326bfb8155 |
| SHA512 | b63abef9cdeeceede78cac47a02fde9726dc52a54da72632adb99fa97b4bd0837c22e6b0db8932cd0bd29982ac64a9e1a5ab6bec863df88f217a1c1beea2c0de |
C:\Users\Admin\AppData\Local\Temp\HAYkYEYo.bat
| MD5 | 1d7c709f2cc3b737ce5a5c354a4bc40d |
| SHA1 | 9b24ac86f21f4403ff6a8f40c973fc736a2cb98d |
| SHA256 | e4cd7873fa6df8e46aa187317cb858f0cdc460c2e3329b4347f35d72cea091a0 |
| SHA512 | 5a192c117db1ddd7cdb9a24af12e8260098e7760e1f2bb0ba32866369450b5227213f530ee281cf4f9699b29c2352e86c4e6e09a6d0a5097c263a6fe41318f0e |
C:\Users\Admin\AppData\Local\Temp\nWsYUcko.bat
| MD5 | 469c4e9d11f04fbb25be3436f6ed6b28 |
| SHA1 | 68a32a4f8b5cd0f42d47e62947630120e6cca804 |
| SHA256 | d2d6cd352e9b3c444e355cf9d6d55c9fe5dda74939bb1d96dbd057e54468eda1 |
| SHA512 | e7b58d5475fb8b2cad6cbcc6fe2c846a8194da94a1a571824292f96a520d087c2f7472be9e399cefdc1bb21dcfef4ab603f4a1d2cdaf7e9dd1478aa6cb903f88 |
C:\Users\Admin\AppData\Local\Temp\KUMQgwMI.bat
| MD5 | 063904fcc24dbd3e0ff576f9a91d5cfe |
| SHA1 | 189d735feb2e9a8079f5cc1351982c2278dddac1 |
| SHA256 | 5d24d6df589df4530310e3b3fb42449306e2d3c5c925898db8437fc4f494eb06 |
| SHA512 | 49ef2ea9391000a862fd3b6d19f89fd8b5bac366abb2c7d2460703b8e09acf9debfe9f8c9aefacd7d6dbc55b1332a30b0ca62c35de77264bb1b87d630dfe6839 |
C:\Users\Admin\AppData\Local\Temp\zeQkMUIw.bat
| MD5 | 250128426b4ea7ce4f57959abbc5a3d6 |
| SHA1 | bba790ba55f7428506748fbcecfff225d947bfa3 |
| SHA256 | 06cb0e703a943dcca24567e0668c6399b01e96ee52979be14cca4fd72ab75072 |
| SHA512 | bee1936a377626a72cc4e41f720870d64bb4ad0f75eba8bd05550d57b3ad9ce42c7cb1dc391b659070d880e6a36a47c4b8e4ded831949bbaaf2231f6ddc6e495 |
C:\Users\Admin\AppData\Local\Temp\zqMokIEY.bat
| MD5 | 91cb107bbb879ed60cac9e8a2d537a59 |
| SHA1 | 84aa9d440fbda2b070f8726d2d31a44ac4f03990 |
| SHA256 | 56d28599caed8b4ecc5a497db8545362d3200760473657b28d43ce8604ef9502 |
| SHA512 | 8a7a588adbb047f6e312bf14eca5f2eebb5f6ed16ae32e995cca11f19045b3b9eca8422c3a366acbe38e120333732b2a2b6eea85c2212ae63dd685a96c9ec192 |
C:\Users\Admin\AppData\Local\Temp\DAksgYwQ.bat
| MD5 | 5739efefd7e4d1d2f830dbc40cf7072e |
| SHA1 | dc3120fbbf7b487048204df8ee2b6ae72835fdad |
| SHA256 | e3085bd6dfbcebf576ceb05b52da531191d7d887d1b324bca0550e810b85ce25 |
| SHA512 | 8abf9d1149dd400eee3a60f5b13f98431ba70d43b43d1076736038cb089623ddab084c516a984175390b17e69aca0d093603ccfe58afbbf5d4dc1968ad37e189 |
C:\Users\Admin\AppData\Local\Temp\VUscYUgs.bat
| MD5 | 2203b8958681d54f7d96764b8406959a |
| SHA1 | 82611dc2beb5d7c8d446c896bc9e46089186dd24 |
| SHA256 | 359d20d4c38aabe2dafd29c98aacb6fd588ad2420a09a6573ca55bd6ab2cc053 |
| SHA512 | 5ff23b3593a10ac6da9f5a659160367e6778418b0995f043c9dfe708f27c0a50c813b1e4b5cadf2b501d52ae97dc37932f5b7f044c55912a5a1f113e2cb4dfbb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 04:33
Reported
2024-10-26 04:35
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (78) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\ProgramData\wAMUwYYE\YaEkQMMc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe | N/A |
| N/A | N/A | C:\ProgramData\wAMUwYYE\YaEkQMMc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAsIAQAo.exe = "C:\\Users\\Admin\\uYUEQgAc\\PAsIAQAo.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YaEkQMMc.exe = "C:\\ProgramData\\wAMUwYYE\\YaEkQMMc.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YaEkQMMc.exe = "C:\\ProgramData\\wAMUwYYE\\YaEkQMMc.exe" | C:\ProgramData\wAMUwYYE\YaEkQMMc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAsIAQAo.exe = "C:\\Users\\Admin\\uYUEQgAc\\PAsIAQAo.exe" | C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\wAMUwYYE\YaEkQMMc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\wAMUwYYE\YaEkQMMc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\wAMUwYYE\YaEkQMMc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"
C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe
"C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe"
C:\ProgramData\wAMUwYYE\YaEkQMMc.exe
"C:\ProgramData\wAMUwYYE\YaEkQMMc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaQQQgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iekgYEgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWkYcsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYQUUogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCckIIoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwEwMwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIQkMggI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAEAAwgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQIUMgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUsIYgYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYQMEEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgcAcYko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daMYkcsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foUgcMkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reswUgEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EasUAQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMMEQogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqoAgwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIMogIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwYAkMEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zaQUwMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUMgUkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUgYMfxI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Omkckcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icYgowYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWwMAkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmsIIQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmMoosAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKIUEAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCQUIUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYQwMYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeAQoEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoEsEUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYMQEEIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEQgEIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwIIgEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYcosgAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUIskkIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKUEQgEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOkEUIUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqgEoMYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqckcwQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWMEYcAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWoYEMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWgckAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiEQkEgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaAcIokU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYMgEoME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEwYgAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKosYIkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMAsAkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMYYEUwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImwAkQMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOMgYQUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWAcQMAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsogwwwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEEQEEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeIsEkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sisoUYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIIwUcgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIQUEogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOkYQQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nocwMgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOwccQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsIAwQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qioMIUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CikMsUAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkEgIsQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcUEwkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqIgoMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQEIkMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQIcAcko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okQocssE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqsksAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCgwsgAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMYsMwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEYEgEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcYwkUgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UScIMgcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwEQUEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yisoMcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moYccYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noEIwAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAckQUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peQEEocg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkgAAIEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mywQckko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yowgQscI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEUcMEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaYYIcIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgcwIoEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgoMEUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYwIcQoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIQwUIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGIsUYIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmscskYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoEwEwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv w/dw4gP4ek+KVnSmyEBulQ.0.2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4784-0-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe
| MD5 | d1e27390b430575333fa65bb0ec7aadf |
| SHA1 | 0cd4cde212b6e14b6fca8fc3733f70de6e3a8aeb |
| SHA256 | a71862643c9b45bef0c04b7601ed209d15dd6a7c4540bac358537af83d342e9e |
| SHA512 | f788b04eed0be9051d26f13dcdfbc82c0f154d25c8d69bd1505fe9eb60ae1ef9b9d7bae60230d2f77c48c648aa309bc0c3033525e98e4c70999d9ba48738d673 |
memory/4480-5-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\wAMUwYYE\YaEkQMMc.exe
| MD5 | 8ecd6603c0a68e63bde10bc2e45a9293 |
| SHA1 | f8259d32194b7fff92d24c630df6258cdfd0e5df |
| SHA256 | 8c4efa6c179f987de3ece6caf905fa097a2e43e69e2e97013e05c6e2c7c9d606 |
| SHA512 | 853ce89d1340a1fdde2d313f2c913f1045719483c26022fe5cd77472a79fb4c98a21e24c83d035223e6ac9452cd2fcafe78899764ca650c617f8bcb9749f8c13 |
memory/4248-15-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4784-19-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UaQQQgAE.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
| MD5 | d7ee4543371744836d520e0ce24a9ee6 |
| SHA1 | a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0 |
| SHA256 | 98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9 |
| SHA512 | e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808 |
memory/2688-30-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2368-41-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1324-52-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4956-63-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2464-64-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2464-75-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1256-83-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4904-87-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1256-98-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4860-109-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1656-120-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4352-131-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4596-139-0x0000000000400000-0x0000000000420000-memory.dmp
memory/764-143-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4596-154-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4924-165-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4920-176-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1812-187-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3604-198-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3428-206-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1248-217-0x0000000000400000-0x0000000000420000-memory.dmp
memory/888-228-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4540-239-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2596-249-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4920-257-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2004-265-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3500-273-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1816-281-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3552-282-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3552-290-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4812-298-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1512-306-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4520-314-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2292-322-0x0000000000400000-0x0000000000420000-memory.dmp
memory/380-330-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1536-338-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4996-346-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2692-354-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3896-356-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3896-363-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2216-364-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2216-372-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1684-380-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4012-388-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3944-396-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4216-404-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2868-412-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2024-420-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3532-425-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1948-429-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3532-437-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3368-445-0x0000000000400000-0x0000000000420000-memory.dmp
memory/812-453-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2148-454-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2148-462-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3372-470-0x0000000000400000-0x0000000000420000-memory.dmp
memory/824-472-0x0000000000400000-0x0000000000420000-memory.dmp
memory/824-479-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4208-487-0x0000000000400000-0x0000000000420000-memory.dmp
memory/5032-495-0x0000000000400000-0x0000000000420000-memory.dmp
memory/648-503-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\esQc.exe
| MD5 | 90d989f8a7aa93520a5b7f8bb9fe5e12 |
| SHA1 | 59a9b993517475f8371898112ed7928f6ebddb6f |
| SHA256 | 7a5e1762b1b94a6caf065628070d0a5c1f6573358a361c89657e194357ab5101 |
| SHA512 | 55a4338a4a4cf10111b1e5cb0d2a5232353ab48cade80d389f24de0e6fc514eaf64438d5afcf3e27b65033a9169b1189b017d10248aa1295c63941c01f5edce7 |
memory/3784-519-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IUQq.exe
| MD5 | 8ae785067280b9407f12556b7bacd723 |
| SHA1 | 41d30ec27b12ed5100f7ce0ea9deb7a541218eeb |
| SHA256 | 0f6296859353fb2f44e93d8c9658bb91df376dd4317153e31dabc95a50fd502a |
| SHA512 | 569de2bb3a9e2ab7b223cdcb65d5e76ea5970c1528b0d2c42c1c821f96b0f633aa8a38b98ff8f20226f2f5c227011532f08a27ae65b1aa8164d1e1cbf0610d4c |
memory/3784-541-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QYsU.exe
| MD5 | bc0f227155eb34ece7532c749afd1dec |
| SHA1 | ed9701d30d2db6ae52173581aaf489625d4b5048 |
| SHA256 | 7c1d74c6750e36ecc38737a280ab381a7324274c98ed73ae379d861dd21e3eb9 |
| SHA512 | a3deec5a726224974df63fd774d2db813d8b7fd6250d61fc8103eff50306de56b2f9b1143f1a28a778e959d526eea7bb2edf5dede6987ec190cf6a0c263a8fbc |
C:\Users\Admin\AppData\Local\Temp\YMIm.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\AkMa.exe
| MD5 | 48cc9f1797dce14cc683da1b39c22670 |
| SHA1 | 6beae30cbcbc215047e7db12c212f42f63c63cf3 |
| SHA256 | 5ad09501e7a56918e3e583a71370f9d6826caf9ffce6a9c42efa66f15bce72fa |
| SHA512 | acca8c838d42fb8f21930629a8f4375198584d5d5ffc8d7d6f114c81df302c231d71f7e7ea3be26b1b80ca6e6c68e2aa6b608eaa452d49421d3534ce1c0c3b69 |
C:\Users\Admin\AppData\Local\Temp\eYMq.exe
| MD5 | 64cf8ad6e41312b737633d54cd47d33a |
| SHA1 | 53d63e983a99d12c7e76fdc43c649cae4bd4c3cf |
| SHA256 | 822dfbaa539ac1451adf528712d522acdb4adc91219e7a784103954ed9e4a3cf |
| SHA512 | 89a6ce872bf33d8e87c6f3e6f14e5b0c2d8aa04b846131f0e9f96fe26a17d60818a6fbf70918c549b24fd227910348e6ff2aea2a2bb873f27a2d94c8ff684d20 |
C:\Users\Admin\AppData\Local\Temp\mQcw.exe
| MD5 | fbbfa5e488b4c34f786184bdbdff4815 |
| SHA1 | 9bbcaca718a8fea8db2866bbeb1731583211a631 |
| SHA256 | 44018e54eba7678fc3eb5911afca80ce70b290a0ab491acf1673814eba50e26e |
| SHA512 | 3f838998247fa30a6a47440a054f5df1ab1daa8959f2503b7666c766fc817d4cd7e324af8f6992c591f4ee559503d1c4a00b9d0eb90e8d5eaeefb5dc017d2801 |
memory/2944-602-0x0000000000400000-0x0000000000420000-memory.dmp
memory/5040-606-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SAgQ.exe
| MD5 | bc9f4b69317feecf1c776db85c678efa |
| SHA1 | f665de83b67c1f1970e095082b6e3dca9b05dbbe |
| SHA256 | c52b739aec3761ac89cf886897ed98382335f8b1bbfb992a2337ca0107a5df58 |
| SHA512 | d6c61580434e55d1f8c6cfa3d05d9ae1510df4dbf39f376fb64c885e80b156b8371aa9198df6a38b786c6da9a5af9706807086d77cd612ffc46aa7571b437dc3 |
C:\Users\Admin\AppData\Local\Temp\sIQw.exe
| MD5 | 070c2cb7957140c2d87b7fcd1978d216 |
| SHA1 | f233df3354ed48620b2bcc376228bb6b63db97b1 |
| SHA256 | 5ae8a66c1f7af52825f14f6c45750125b0c5194219514f0036df2d71f3478ed9 |
| SHA512 | 0abbaac92b8aaafa725888fe2444d57affc0f606aa543bada99b81cf82aa10357c40dccd23c765df683dbf9e1072c4c80524da32fa2365614b5f4254b16a6e1a |
C:\Users\Admin\AppData\Local\Temp\wkMm.exe
| MD5 | e06c42eac1f50b3c5a739ac8c9af9b8d |
| SHA1 | 302eb7410588a1fc90ff617cf6363bd629e6a65c |
| SHA256 | a565de83dc0f7cdd8d5869ff25e1f51b0065d81c87b433305ee9fc2779c16a99 |
| SHA512 | f06fd4b69722518407e3a15e54695021782b9a4069fafde0c88ca475b41cdddc70fa925352b30ccfbafb2def02c5375e41c108b9e73db5a6272879fa109209cc |
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe
| MD5 | d95f86a33753003c46bcaaa99dd21c24 |
| SHA1 | 4eea02876cfe0a0e0a4114aab25512a92bce78fd |
| SHA256 | f220265ce8da4059cef78e6e469931ab5cfe23c8f5eba40491937371f4d735c0 |
| SHA512 | 59ad1f3c6dba5a9b9b5db8502508d3a3d2c507c3d29a01eab11fc5ec5264f782e67bef4666b899e4e5395fc068faad4dbaba5b2a93f2c2ae74d5067700d49d67 |
C:\Users\Admin\AppData\Local\Temp\UwAo.exe
| MD5 | 4905d16eb0b16b944e8680efb6287513 |
| SHA1 | 1e9ef1169c6e2842be3d561431efe463e92ac640 |
| SHA256 | a1f20623872e1b15670dc7d7ed036b9f4b839f0ad00993ff9d44cb5c3577fcfe |
| SHA512 | c037b907b7798b2eaa0a6ae1d52b8de08254cc9f85e8d30dfe249128583a8a5ccc94a406a46f61a821f1406850f5e6630ef102b05b42043ad43128d039c16284 |
memory/2944-684-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ykok.exe
| MD5 | 1028d0f5a2e23076896f84654a323c15 |
| SHA1 | 4312a79c70dfbf282322f16880073a5232b99339 |
| SHA256 | fc2629cc1659560d1cf1a659c476fccd60965b0abdbce0d9d55fdc1ea0a5aa00 |
| SHA512 | 5bd79b9d27b3c09c78c919c3f2d0edd19d990b0f6f3fba1bce8d62fe5fb4763e4914f304e176264fd0da3b3c6f7043a5fa3d5b78e878725d9eb797107154f599 |
C:\Users\Admin\AppData\Local\Temp\oAEk.exe
| MD5 | d8d986666ba8d3cd79e85688293538af |
| SHA1 | 5158d8cdc505f3d7113d83e5196b2bb47f8c2f78 |
| SHA256 | 761f59fbbb4c5c6d08ff6cb10987321252d230256e2f760875d1f3adcc129f60 |
| SHA512 | 1e046b778fb95c7732a779c5ced9abf8ce74f626f21787e074efa3554955ca73b7ad02b136fdd8fae68afe96b18e625395470b5ecf0aa9265496d4cd25f1d4fb |
memory/3996-731-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ecoe.exe
| MD5 | ad088501c406a4329ce32c918130d37b |
| SHA1 | ef6240b696ce57285b980f0caa3dd4749cf1e3b0 |
| SHA256 | 0a34616377d40ea3109b128da480bebd3b447fc56e774b10b4b5d59b6d52b821 |
| SHA512 | 7a8a854cbb3ecdb11ef1ec72a5f00b3a16f4aea96d1d53b3cca22dbf84ee2fbcca4a8abeaabeee849d5e864f4c512ac579b7f0a5cce196448aea9a0fa27dbb32 |
C:\Users\Admin\AppData\Local\Temp\OkYI.exe
| MD5 | b690627427bf6d6d4258d706a5752c59 |
| SHA1 | 568258360f411aa659cb258314f037510df70997 |
| SHA256 | e94b89ae597b3e25f050428cdfd15689e57a9d11f845dd921c55ce8352a39a93 |
| SHA512 | 467f287d1d4864cdfe7ed5677128fcafa94ceef8a7d3d241bc296213398ab635664a16fea8cc18b03b97855b4a1ec57852c7f586a8b0a2d301ab83c9f5497376 |
memory/2828-749-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kUUQ.exe
| MD5 | 0ac6518627fce95b541c25d468765950 |
| SHA1 | ecab6cb7a87829924f9f5e60b3b3c506e47b0836 |
| SHA256 | 785b88edf8c6edc5e3922e5082b3d7ac4f9143946027599e39101fd60de01697 |
| SHA512 | c7aeb3a843584c06e6b30501e6b9def321a0684c1485a56ab29404f9b8af9a390d11d1ba084f2ca16959eb9bea2317d2eab09bf0c306a96492142365057d1bbd |
C:\Users\Admin\AppData\Local\Temp\iggu.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\MosC.exe
| MD5 | 6ab681939b7db5875b2e4e8e94e99e76 |
| SHA1 | e7a22aac9914d83c73b9fd3acc138d1cb3b2a196 |
| SHA256 | 29a37f25de5a512764c06e6224c25bc677317622939fc2b89d737f0c5023f586 |
| SHA512 | 3c6b3ab4dd920a3479f952a473e8b737e47ddba41f751ed1775fb5da13e3644436ee24e0a63072e51228dac4ff22fb41dc0829eddf3fe02959647c5f8bb44d30 |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | c3350eb5361bb6032316951b03a04d4d |
| SHA1 | c829533721df5f86deef711e477905812336bc59 |
| SHA256 | 54b64969226f1db16f48f7bca11b2302704f4b8472a6cc9df66b6eef7469974e |
| SHA512 | 9f59b557ec3b3fb364626ba96c3dac5c74a55893737131d566f727b03d45a8bf9065df669a4c07cf8e863ab2ad4fa1566ab8e40ade830efa778c9645d7cd1b29 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | 39c89ae327d6826437b4e95d2ac8a044 |
| SHA1 | f9a8ae807e6861ef200342f0748694852442b6ff |
| SHA256 | 1e46be1b754a42bccae276f7b5b30e9b1710b66e279193b9804b02f7f3a32ce0 |
| SHA512 | dec9924b932b7e58c7c4ad35ea7d45a4dd13afbe17380b66b296da64799e5d72006d9d6c36a8b70f63fc8b91c012399897fc8a27ad0cecd5c80f42aac7700c90 |
memory/2828-827-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Issc.exe
| MD5 | 8146604fca4042c1a3b8e79422cd26b4 |
| SHA1 | fc7ea8c8fd6b20c00e674f6f0e3c8faa648ed977 |
| SHA256 | 467c1248a611828f1a4d4314a54e8dd1d58ae1211714ccdc99425242cb414a48 |
| SHA512 | 57a2a5e3d76b86e7de592499c68e21e6787155483e83f4d9519969506ee26e305da6c9fa3729db9ed91e4b12fd2dd144e110008ff6674b5be6c94f40c3757ee6 |
C:\Users\Admin\AppData\Local\Temp\MMMu.exe
| MD5 | 2cd1ce4ec960cdd772dbe8788418dd46 |
| SHA1 | 729e27d2cbd38bc4a40d82caebfa202dbb24c278 |
| SHA256 | d4554b24be44210d37242005a8be1739d7867e44f8dbeb0ecb0f5d65f6be585f |
| SHA512 | c49564c620c4d0d21a0a3bd978d4baba00f84d63652f684e792446c5436b8fa1f45c008109f658edd23e743c0a52ef0424427c55ae79af034f9bc28bd92413bd |
C:\Users\Admin\AppData\Local\Temp\MwAC.exe
| MD5 | c4a67141a9a112d48bcce984a6699376 |
| SHA1 | b829696245ebc202c6a12485221de8c204a403ef |
| SHA256 | 03542f8bcf18681a479d8c79a3e0de282a116aea721e6ec647860fc34cacc105 |
| SHA512 | a362449e943e4140e077878103b2b79b861711bfdee16dba31750702b4abb6d524b83389f0c962ac38709be1c780b9138f1c8c69667e5ef8e4aa2945180c42cf |
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe
| MD5 | 0cea9c2695bb25064041f429651db802 |
| SHA1 | eb26da57e48fe8a537c05c1493cae961ac4ed47d |
| SHA256 | 5cf027333477f26044209f10746d00511789408bd8232e30c71ac61b3c866755 |
| SHA512 | 38094ba12c04c64a946b1391e07d4be4eadd2b106de0cf85236dc43f2eb1cc3b0e5b0e4f4d22b7bda74eca48f1e4b372bba7b5e31f9016e9deff4184897b9777 |
C:\Users\Admin\AppData\Local\Temp\gcAm.exe
| MD5 | 70599b330ae3b61228d2b5b882d6aefd |
| SHA1 | bb143f9c80f26ccf49acf94065691a82c333b35d |
| SHA256 | ea916b5df1e8817267dca88daaf3d89a262cba06b0832f66421e7a4d033a968c |
| SHA512 | cc5340cbbbb3b431118e90101a02404ac3b029717d399fefaf6a07e1128ca1bee6d96ab32b63689d97a5c692f8e5ae51dc35df5e102def4b5f94251e25bc5041 |
memory/4560-891-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MQkm.exe
| MD5 | f8ebedf9c88f048d9ef00f3ce262d970 |
| SHA1 | e5d0e5c802ed2a604d9dc986f6e6775bc94961dd |
| SHA256 | 68a44250e47021d547852326e9a6f8fd0955b1334675002dfddb4d82f1c968e0 |
| SHA512 | 66141931a81b06357f388fbbb666e49a8aae62ddbc01713ae68fa707c7c3125fb965ab9df48c249138881fea96f447fec0a396ab8f9e46e69908f25f776063cb |
C:\Users\Admin\AppData\Local\Temp\oMQK.exe
| MD5 | 6b5d0e9fe8ead902a325f0c36d128dc0 |
| SHA1 | 3e568c534a5dfec41065b29c4c5d713eaf3c6cbc |
| SHA256 | 4e37fd882456c2d65f3845ae430bd2b235eb88e11267463ea6606025c2ff5bfe |
| SHA512 | 7a8d38905ad45e1a1f49dcca5d60e006f352d98c0aee3bdebc28044dd065ef57b7f0a2aaf9cfce2dbc0da013bcc9f4b571b8871e0f57adcb1e441c578cac26ab |
C:\Users\Admin\AppData\Local\Temp\Awou.exe
| MD5 | f735fc460c1509e1a7fa7bfe535410af |
| SHA1 | aba24a72ccfb557ec40cf374ef5c8ba6e3ddac90 |
| SHA256 | ac2d908dd49673c6b420502c0d8bb17aaaa40b1320495ebd8e4b062a8e86cb16 |
| SHA512 | ff1cbc865c2c260a5e66b71f314d34d022f04a8017c902fb7538ee3cacf07920e99cf24dca99065d23d661477c6f769579db0f332eba012fa6b27da26b48a68a |
C:\Users\Admin\AppData\Local\Temp\EwQi.exe
| MD5 | 763245723d55a67526c8cb5cd4c5cd30 |
| SHA1 | 9856497e22b4f6502ed66a14324a6abc13f1046f |
| SHA256 | e6da53eb511ca802f5eddbf78768a15bedd113f24e7ef1503222e1f07f573080 |
| SHA512 | 0a6ac82ff9358e62a265fc2772e07f035f6a11a47a20cfb3c72cba4184986f2be86ee9f09d5b4e569f8a286f4528d66416083c1af180ecea5a39f920471eab7d |
memory/2124-954-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Sgok.exe
| MD5 | 217dcdbdcaa62baa166ad5930f205b14 |
| SHA1 | 8d80753032e2336853e88e89720daa277eb31e50 |
| SHA256 | 1cdf8962725f7ff53c6b4aff3387966a5c9b6aa8b9406408e76b3bdbfa62e574 |
| SHA512 | d0429b88c5c1e1b3239dfe9a259af5d4495f33ec2cbf8120561771fcbc872d1439ceaf413b9e378b7313c7f5b8f933bbae8b7c338a7f09a8e869ac782b779e62 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
| MD5 | c1701b3dadf52b2f5f42155a011f98b0 |
| SHA1 | 2923e7b284819b8b03aa2b82593920cf5eebe1f7 |
| SHA256 | e0f3100bedfb1c1213d68f6ce9fb1d8a1228089564b4a11ee0ed49aac785ce6b |
| SHA512 | d421f8880a7aca53ac3c4dbcc76176afc2b89cd899189204e1cb96e98c5b1f142eb2f1aea42374bd56db2ba977b061f0608aa5992aa6c35871e747f5f1506827 |
C:\Users\Admin\AppData\Local\Temp\uMsU.exe
| MD5 | cc934e10edf1cd6cbeddda5b93ae7120 |
| SHA1 | 5c058e7a2742e3e3fb07774b5b74612d1dd3c23b |
| SHA256 | 4c8a1fbddd641a1d50fd23f412c42fe1b3ec84102fceb37cbb7462cdd849e12b |
| SHA512 | b65014584ce8a299ee8effcc0c7cd80f3dacd3f200fd2fcdb59724b9e8ba6aa50596f4757b29e2d90ae5dc977a48f959fc89ab2b4ff4eae868bc661d3a058f6c |
C:\Users\Admin\AppData\Local\Temp\cgAQ.exe
| MD5 | 7fd07925093602555f4e7ad5404da0f5 |
| SHA1 | 81a7f0b799fa9d33ed2f738cf84b7a8ef5707844 |
| SHA256 | ceeac71654ec052c03d5ca12644946ed9342f1301f7a12697287b29a2c853633 |
| SHA512 | 3564726d432649bda7eb5bf90c974a6071d588a87ec5cda03d65fea5100be9ab7bf1d1f8ee862ae41193c1709eda7566d16f17a8ccc0105d94aba6168f9d752b |
memory/4360-1018-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MMQM.exe
| MD5 | 0d5391b8921ccc57b996c0d2ef6019ac |
| SHA1 | 5e0275df1766ac61c3affe512274abcb93204642 |
| SHA256 | 773166d8a9987f274d8d3728a71b9c96ff327a9d93b812522f63d277e8f10ffa |
| SHA512 | 2ac5550b17ab1abeeb83978b73f2ef3eb86d8d736131785de31dea98d5761c2b12d06104c9aa9498715ad85153103834b7a824edda71fcad88bd2705f5801a65 |
C:\Users\Admin\AppData\Local\Temp\ukoe.exe
| MD5 | e00b5b360c51eb9a62f6f7db695bae84 |
| SHA1 | a5291439fa9f9f93f98a8b7559fe6d8e4d45516e |
| SHA256 | 4a2e8629047fd962b0f9d444fd433f8b78eba1df02810c9d06763ff3a1d48cf2 |
| SHA512 | fe7f4ea96fff0af4b1f1f950412d4b345697db3a88909fdf3691a282c9692fc6e2dbf8a6556b4fbe566425c668ff7262b005ae48bd7a89f47e2ac3e3ffddf1ba |
C:\Users\Admin\AppData\Local\Temp\cMIO.exe
| MD5 | 4b97211d52b03edf36fdedbff39760e1 |
| SHA1 | 3f0a8a5f840c26c4d658b3760381231848854c50 |
| SHA256 | 51910007ce18456f883e9ba6f08384fe4acb14477d384f3f04430dc5ebd0b320 |
| SHA512 | 83651ed1333675f03d7a5a4285e1dac0d99353fbfa962b64fbba8f3b1f1b72cb8b95e2f7b40c868409883a8f5f7cd7172314ce78f184c0646a8f1cb4adc65fa1 |
C:\Users\Admin\AppData\Local\Temp\mkwc.exe
| MD5 | 7a9ca971aed86e1d8b91d62206414772 |
| SHA1 | 8b426cce925ae8d2a699bdfdcd906c3a37e98aba |
| SHA256 | 08b3a1bcb0df3df0b2a1889ce59a2a34733e887fd380a1331a864c3c22ebbb26 |
| SHA512 | 8bd9e31e48bf4cc328e505d45bceacf9ff5ff4f84a10c784e7e2cc6dd76490928059719530317d3e92cd7b19b2ce6046b505c008ded0dca33bea977dcf6d5628 |
C:\Users\Admin\AppData\Local\Temp\ocIy.exe
| MD5 | a07e973c294fdb93fea818418259d160 |
| SHA1 | 265ada5e26c36b3fddbb22804c79d899cd62fb2b |
| SHA256 | afd589347f73de8930be7362d0390595cc4ae5a0a8305bac7bcf3fad666eab65 |
| SHA512 | 4318296a47f884000039ddd10f6e2a200555fdba9bb0000fe473e91176d792b02950bed0abd3ae3b7fa73a5c73ec783179ffe84732304ef9730f5dbe3ee43aa4 |
memory/5004-1096-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ywwq.exe
| MD5 | 17efea73eca4b931999d946503b8bc44 |
| SHA1 | 5b03836545f9aeb05ba52d2b05f54bb627dd91f8 |
| SHA256 | 2d41d8bc2a0d5c05fde0be902c109bfbc8123170c1bfba3b683e2513effe326f |
| SHA512 | 42abc92194c22abdc125796a365030f3a13a928a0cae41fdc69d2db4f896ec6fb14e0f81fb2157fea1964721a03f4fe63e707f18dc2897a9295ac1d474432210 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe
| MD5 | aeafe17c27d15f529a56ea47636011c8 |
| SHA1 | 633e6ca593444c9f5505e5807973ad9b644c058b |
| SHA256 | 6b3b03ec548d774e12295e415fe73fe3b14bf304a85355ff0680dbce298a84e5 |
| SHA512 | 99a8eeba398f3ad98d361a26fa6c9ea64e4a2d726f53ed1264b19ef929409cc2dfe9059048452dcb44d7fa2713ee8a4f8e61e4770a408f9547cd07888f962b3a |
C:\Users\Admin\AppData\Local\Temp\SIAq.exe
| MD5 | 97c433e9676a807f1bd223bf05c53183 |
| SHA1 | 2bfe40e196ca12f62ba579112f16cc04de691f7e |
| SHA256 | 6bbf01db4608eef5c0e2194cde94e6546b6b71b30fb60b7fee72dd4ffe414f87 |
| SHA512 | 74e07b1f1f7e402541d71e65ef92747a85b2fc0a6e415d5d1f304eb216def728fd0b3bd54ec02b5b9d0ad6f8ae475ecbdc825daa3d87c45b953301550d018f22 |
C:\Users\Admin\AppData\Local\Temp\gwEM.exe
| MD5 | e366e43331af4e65e4a618b6007f2980 |
| SHA1 | 90b4686be08fff10c8ada32ca8845e5e592ad6ff |
| SHA256 | a7478a37856238ff3200611e40f27a95d7e183888db37b8c506b61a4b33f105d |
| SHA512 | d1b38c6ffe3f89717f4db46de35aec3371d9f5bab270f9d843872711a7402a49bb2c38e64b3502727e4c90e8b56431c6359e5c5434634d11cfbf6bdf1129316a |
memory/4624-1159-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4144-1161-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OEMO.exe
| MD5 | e63eb89b4712f27eb8652555b7b11832 |
| SHA1 | 094dd72e2de6e9ae79689be98051d5f3eb5711f9 |
| SHA256 | ffcbab3923483df3b4971a3d2d5e3c1aae4bd2ccd9985201988910912571224e |
| SHA512 | bfd6f00bf529723150a343c0d4a5bf50af2f65b686e2531b5b698cfabd5dc8dae9d4f32e3ee42b94a85e6e9aeb879098234fb53edbe20b6f47da03897a875b5b |
C:\Users\Admin\AppData\Local\Temp\OQUK.exe
| MD5 | 7d94fea91519226556422035b7a92b3f |
| SHA1 | 4a4f4efa961f4950e16c3c2488d5e3c7e089d878 |
| SHA256 | f6af2e7647b844be36aa7477bb9b09d711a80584e05644af76a6d93fc4ccb433 |
| SHA512 | 686b7278e517f9f92a691034541d551f9bd9164ff73898c4685b340089cb87fb03ef44177c40717ecc10e6d3b9b4ed2632dbd1017ada62ae0e9c5e7d15fcb66e |
C:\Users\Admin\AppData\Local\Temp\isoI.exe
| MD5 | ca56b235b0dc4f17173bc8ea4bc4bce7 |
| SHA1 | 128c6d73a19262b9507c35cd0abd42acc2b537c5 |
| SHA256 | 8743b415bd0866619ad2f0aab1ff786157b9e3df8fe3a9d324d73065a42ef220 |
| SHA512 | 6ca96495aae388937bca27247bd9b75c3038087da1fb3732491104fba7b25a0578dfde9a7042e628827f5748b22629f35a5ff1febe79ad35cacc871610f021e7 |
C:\Users\Admin\AppData\Local\Temp\WkQA.exe
| MD5 | 65fddfd54d13d6f4155e757a6c2e9300 |
| SHA1 | 6d8b56945ad78c27aeee5943684e98ae6ea23afc |
| SHA256 | 1b75a202a55d65928e4cbea2d98231a8ae753f6f142e000f323d477854752f4c |
| SHA512 | 1195b14f5f9af473d4a44e514e52290c2201cf6e4c2e40e2c3494d5ffcf25131854c68043911e075f577ff0bd7635bbb94328b842de6cfabd7c5b4fe82446ee6 |
memory/1812-1221-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GsEk.exe
| MD5 | ab608043cb422136445f696981acd1ce |
| SHA1 | bda70d72cc45c00e0689332f6046eb453249c1a8 |
| SHA256 | e1163b6dce928b8ed89be5be446f5f7d72344f7da5eefef3e31f91b280ba3632 |
| SHA512 | 190e5485070bca1527bcf4cede2f398ec1ec96ecc5f3c84b43cefa24acf1ff475884e87d1148434159861a73691a88f266beeeb29ce550d54cba98846a259e75 |
memory/4144-1239-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AgQU.exe
| MD5 | f8d2c936bd813862bc2cde675920eabb |
| SHA1 | f99be2c682fed0e733ff6287accf6737666f5c1d |
| SHA256 | 0d540021a05bc832020fe41f2ec5a11dee40f5e3941b1954ce8306e57006f177 |
| SHA512 | 2ffe661a328123c1d4c8ec0a5e0e20a732029b044d781612d245387e31bb136ec1ce52a6044b728a36d1a905e880461ed656e73ab08ca5693e12d9c4a23cfb55 |
C:\Users\Admin\AppData\Local\Temp\uUkU.exe
| MD5 | 157b4b0829aa231b99bdc774266cdf8f |
| SHA1 | f369574fd94891274ab77cb5a0fbddfae7a1e98a |
| SHA256 | 285d0d613bd596fa5ebf4a0cd5ff52c7f01017d48664072e1597afcadd1ec995 |
| SHA512 | d75eb637507773b02603ea45aa5fa2a96cf034beba246da9ff80d193cfde95bfd6abdbfbb10813cf7a81919a3baa2823555359a560664641b8b0f233be7514d2 |
C:\Users\Admin\AppData\Local\Temp\cwgK.exe
| MD5 | 72bb593b06aa390b64e378989cc5dab5 |
| SHA1 | 4296a6ea34315bec38b715a8934b9c3307974386 |
| SHA256 | de2c9204dda116045a6bc41b8a67be288600deb36229d99cbc9f975e1fb4889a |
| SHA512 | 8a0e6d3507e6be0f1c21ba8a14c3450eeab029d563027cb7c07425c8670c50df3a74731d5db5c4c36263947b5891d0185426e608e7878a746ec3d890a7b531d4 |
memory/1812-1289-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EMYs.exe
| MD5 | c422280496dc0de82076218c2fdaa7f2 |
| SHA1 | d904c2bcceabeb0e21d88ce34e2f2841d58b0657 |
| SHA256 | 9f84f99b5016ef043684522bc5673c30fd77deab87a237f08d653a0925a7bbe9 |
| SHA512 | 2ee6e034e2214d10b8636df6b60273ddfcbe75c0ca3d639d8ecce4b291437d7e43a49da1d47c2dd2f9fcd9e1266e4ed9b88e2dbc7ec7580bfebf434eddf58442 |
C:\Users\Admin\AppData\Local\Temp\SgQA.exe
| MD5 | 2691e7160e485f46a73ce65562ac9629 |
| SHA1 | 56ab3532aa52378f7c612b4730e9d0e77c472e37 |
| SHA256 | 70d65e8a6a1afb01b02a2f8aa67faa82d7591fa193ea35db88453783b1c3c057 |
| SHA512 | 52c7dfbd260edcc8aeb6a7020c17d2f5a1d4a70e5156981e05b0e509300fb818211350db03a3ff93a6866394323d98fc0a547417ea40642a07bc47bd6b45817e |
C:\Users\Admin\AppData\Local\Temp\qsUs.exe
| MD5 | 2a55ca2172dcb1a705cd2e0ba23ef4fa |
| SHA1 | 6c5c6d31e16f03d4e446628d05353a6bc532c105 |
| SHA256 | 3a2a03cb6c2fb68830befb948d3d32163055b075dc403f4a705075187abd350b |
| SHA512 | 9a8e791f8cdbee44e7d38f7c82fa927e551688c8fc22796b7c2da49fecb90e7cbf8bafa7c564bb69a7e936b57b9f9403189062d9112ec286868c9627c3341bd2 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe
| MD5 | a19d79db54946d2d595819a51fa00452 |
| SHA1 | c56f1a741dbb266b7ea3082d31ed59c302179308 |
| SHA256 | b33bf9840b687c022d8b7f60c3ee8dc797bbfd4138dbee7131b148a5f533a2a0 |
| SHA512 | f22bc3d50145d441f34d939dc5917114ae9303d30a7e5b72457900bf411815e6e6da79b0f6dc8b90c6a60348ab80f4ee6f6a8bda37060e3e50b3a606e30bb986 |
C:\Users\Admin\AppData\Local\Temp\EQUc.exe
| MD5 | d2be8d81694a8e6ac84545af33d3e39d |
| SHA1 | f631726a8d09d0cd02131b56a7a20d5de3a870b6 |
| SHA256 | f69148eb159c8aed6845b768b27e7b898dd4c997e7d688fb445099f2eed3e631 |
| SHA512 | fdf8410a4795b5cb9ddd39da35fcb514c87b0c8ac386c16faf3315aa256c6991508f44b115fede5339c18a4bbe6d79b97d4fbc09a987502d745d9c727e3d282f |
memory/416-1364-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UQUa.exe
| MD5 | 19c4ece47258e3755afa5db5734cd9ad |
| SHA1 | 04effee8f01f766010fe3d61a4807769c93c448f |
| SHA256 | 08196874a76672509b7facc02e59354ad8c4968d2fa4c59dd9c8af08b52c9131 |
| SHA512 | 7b391c20fcf65010be3ebe6a837f94678449e3867619ee28001cc546efdfe0300bb7091d22704755dcb79b8fe7809552441b2c045cee281f5a6f41a7a3061ccd |
memory/1964-1382-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kQwy.exe
| MD5 | f4199440963786837ca6c6afc0750d89 |
| SHA1 | 249b4e0ed7098dd935e57bd9ad2a37a1c6cb937d |
| SHA256 | 07e41d5556399ac8eb654ca4f76c16060e156ca5f72b70dabb4126ab34cb80cf |
| SHA512 | 43f423dbe0653517fe55f146f6d60dda8d8ae7e0827d191b7aabdf5beca8b193ac4c6127a7a853488f67453fbcc94502d8e261c1c4c17ee3f9a6644bec7dbf88 |
C:\Users\Admin\AppData\Local\Temp\wcsG.exe
| MD5 | a77b6583954c44aa6065c2d78831c30b |
| SHA1 | 508c274a360eb74ecc441331e0bf24951f3a27f3 |
| SHA256 | 89a2c5b30723484ec421de141671015a272a0660ced65b6ba2216e0336e7f052 |
| SHA512 | 06d9727f49fad5956e9815e06487b2e7f09ac22aa441daf26286f96aad6b447fb8cf4cfd65193c8ca394f3cb36c73606cafee19f22b54df670b5e1eb1bcaef03 |
C:\Users\Admin\AppData\Local\Temp\OkkQ.exe
| MD5 | 59eef4ea46eeddf1b57bd78c4c2732ba |
| SHA1 | e984c7cd7ef1e9a8ce6b8892798694f8b1656adf |
| SHA256 | 63858a3873a1d0500d4e9dbcfd39342ca1e2e709bdbf62c14a90931a53ef290d |
| SHA512 | 219d605ba4ab0e2cb0b46d29d1b920a56656c1b24563a81d0b876fe15da6c87f7e0bd51478eadfa9dc28d2c0396bffa059cbd4b8d6b1e0abd80e9436f5fdb40d |
memory/416-1432-0x0000000000400000-0x0000000000420000-memory.dmp
memory/384-1434-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qcgG.exe
| MD5 | a0f53cd58eb2d4b11e87c61f6081e1ae |
| SHA1 | 981beb736a6f2138f25d418a3259896928283097 |
| SHA256 | 066e89c0e6e938360cbfd8e9f53289185de56b95eebffb5f65d252e37a912c13 |
| SHA512 | 36f681afede24c8d7b379313abee3c7f3cf1aeb6c194b26bd72b9f1ce07b5ceef790895582ab9d3853124c7dac3a311fc528bbfe0131c47110e0efc6272eeef5 |
C:\Users\Admin\AppData\Local\Temp\aYwC.exe
| MD5 | c24ff3e303b9f4f4aa0cb37a14fbc090 |
| SHA1 | 498e3775313697bdd574b87368dd41c2e1e63ab3 |
| SHA256 | 1e9405515ecabf70a1eb4c3e95a0bb2e7c9ba318b5f14c20738d07de444238a0 |
| SHA512 | 23c086370fc75898eab776258698ae913172bdddcbfa459f8f47e33c96dde04adbf58c916935e1bc9d66d5d73fe8749405431b153b3d9340de3610305c3757b5 |
C:\Users\Admin\AppData\Local\Temp\EIYg.exe
| MD5 | 6143282206ed1568887d086d094d86bb |
| SHA1 | 2e70e93ec0bb7ee8b676d56b150c75aaa647d597 |
| SHA256 | a37d5342a5339a7b6da38af9f5dadc57ae66ade97e5fa34e43871791e6ee5de6 |
| SHA512 | aa9825ad479af3378d50cf7f78d9995d7d00457b2f608cec648fe81897de7704ef050beab33275b8874f5a1d885cb1953c6cfb2b12c197c8543eeba85bf4ed62 |
C:\Users\Admin\AppData\Local\Temp\cgQu.exe
| MD5 | 79447e9bac784e38bb10c277fbf0f2e9 |
| SHA1 | bef557812b1269784fa8667af7079dd1b0f9c7b8 |
| SHA256 | 50f149d497f9c93680dfd72a5b4f01e03eb61b83c004c4aad5a8d8909c29ee1c |
| SHA512 | e6300f39b386e99788e24ec4ad54d843c75614ec0915fb05535eab28008b6b1c6b3679fc3a2e5099d21b9acd1310248ba19af4ad594c047aa64fba3fe3fb4c48 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe
| MD5 | 2ff68a85bcdb07f57bfb372d0d41cff7 |
| SHA1 | 06f4e78d99eba79eed4a1e3ad754c5ffb227ab4b |
| SHA256 | 0ad85dc8c93ca64713e022f13337cd0383d2327ac77663ca86c6e55eda4d18ca |
| SHA512 | af38af0fa7f79d0cb07b39b96fe688035daeaa1552017c6bb9e0b8cb706bd2eeae6bb47f1b592e918599a7f4434f9a923a03fa86834459113926a7b6cdb268eb |
memory/384-1524-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qoIq.exe
| MD5 | a4b320e13deabe0aa8f1b7bd2476d1a6 |
| SHA1 | 948f8e42f32195ea107fc9fe1c6f8e0a20820672 |
| SHA256 | 0270abac47a9dd25b11d4d4e3a291e9fe3a93c0bd1730b76ec11e3b42e548915 |
| SHA512 | bf5f9fa31eba695313937d82a5a7cb749037273e6e75f628b70919588a1e8aac4c1656a3ddcc19b840694d0e21e2e417afaeb12b997bbebd75a648d4d5f3e626 |
C:\Users\Admin\AppData\Local\Temp\IYEe.exe
| MD5 | 3bca1e009d8621582945b1f95ae3ae0d |
| SHA1 | af2cd0b24007ed5a1a75802be4e29cabfdbaa5a1 |
| SHA256 | 79c6e0bee0275d47eff22860e1d7005030df515b22ca60acddd2106d681df58b |
| SHA512 | abcd72c38eedb0820db5eac8d66a95e4b1b0fa8597701ca889d2c5a33b2e899191d8a28be4a07419a39b959fbe7092b098d73b7b12258d583a849c5abecc3232 |
C:\Users\Admin\AppData\Local\Temp\coYM.exe
| MD5 | 629ff5041827f3674198113ff99b9883 |
| SHA1 | 2797c04523178bb4de394b8037bbed39a3102229 |
| SHA256 | 5ab6a8a4ad952b3738e2916521fdbc5e8e1797fe06319cde8245f1dde54f62d9 |
| SHA512 | 30ce3f48c83a0c7f46fa9bfa171a7fdbf1fb56e3fd3f6cbcd3594e574f51f02902aaf6c5f73d7dcef83796bcb704640f8ad8f907890734a742e7363763d433b4 |
C:\Users\Admin\AppData\Local\Temp\asYY.exe
| MD5 | 47283ab1ae398ab82d716d1a04e07c44 |
| SHA1 | 8af9ebec71e9f6a72f65b6255dbc0231f2003e25 |
| SHA256 | cd227038ed8dd7014e0b4c55cce52adaf7a0c931ccf9572424869f031ae8ef67 |
| SHA512 | 2aff17dbc97ff7bcef707707e365b77220fd835b62eb903e7ef9866f593122f627df962421cd465d1b365692558352ec38d25517b051d6b276a6d038a33d28e5 |
C:\Users\Admin\AppData\Local\Temp\qIMY.exe
| MD5 | dcfd042c7370f0e656f4a57547a70eb5 |
| SHA1 | d680a6fb0cb9ac818f91df4dec07bc7e0b7de514 |
| SHA256 | e112039bef9a3b4adb26030492296349da74e60f29d6e265f12b409857659adc |
| SHA512 | fe76d764aedc1ddc8b21fd24a2cbed60d78fb79714fa6b2682befb2fcd898d9849446aff06bb643524e7c8ebfddf320a0574e60b40aea0feff89721b1f4b6454 |
memory/3432-1588-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kUkQ.exe
| MD5 | 0c5a57fc8e32cfba4e682a7ed9ccf0a4 |
| SHA1 | ba6279a394952a03d17ae8fd89bf021fcb382b9b |
| SHA256 | 206a063c3468dfaa211a469bf98632afb996664a985156e209e828d2075d3c4e |
| SHA512 | 6719e63da268028bdaf1cd490626def4280122fdb058ba0ba300970cca9608f593e2a876763c67dbc87c5ed36b7a2725a15fe90fc4d21ccd5ae2e933ec3612d1 |
C:\Users\Admin\AppData\Local\Temp\Esse.exe
| MD5 | 69580a7054d61d5e319baa53b0eaee27 |
| SHA1 | b911a1ab348fb6a3ccba9c75b19e108c751a21f4 |
| SHA256 | b5a71ea06d1dd1c709bfc1e5e402821a6136788e5e1561159067e47c18d983c0 |
| SHA512 | 9f653f97bc4467a2a9825093171628e88a737d8c6a245fb12346232b6e1e2992f3419ca87be320b4b25508c288256ed036dab3362623633203293f2d5596a4a5 |
C:\Users\Admin\AppData\Local\Temp\CwIg.exe
| MD5 | fd43d4b10ce83f0908d66dda8abc4e2c |
| SHA1 | 960f4e1b0a4112d2111c025ff020b3d6fcae35fe |
| SHA256 | fc5006b94a4a3a9c6db14810dd98bb67bc44e47dea6ddf257a3ad2197dc470b3 |
| SHA512 | d53f251d2efff10d77cde7a6e28307ae03db0770c0633e507b1e5317e26f24be9db3bb7cdd9abbe4d35d3f7e11fc4df22d6bad164199d9e8afe0f471c5a9349a |
C:\Users\Admin\AppData\Local\Temp\oIIw.exe
| MD5 | 4cebec8688aba70163ff533e0f50c905 |
| SHA1 | 6eff3d30005544729d6416ac1b99fce55fd7bc41 |
| SHA256 | 4a764f840bec65c5d0725c664a7f45190a28377c0b389a7cdb927a1017424f3c |
| SHA512 | f161d52ae01554d6b79eb394ff16f699c5d0760d55eccec4a6145a2ae9a6447c7962a251fe331e5003afa5cb6328da6707f8afcca3e8eb9496900f2cf596a804 |
memory/5012-1652-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2504-1653-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Qkcs.exe
| MD5 | 04ef494a65542e8e20406030778ca916 |
| SHA1 | 2551c318e2c366c9caed3d4000164eb36a3c010a |
| SHA256 | 660aada9c559be4db9e883b3e158c7b36ff7124719a81f0e4b755792483e87e8 |
| SHA512 | e4ad12ae68086f9e2e6d9fe70fa4c50890c1787c664fcde5956cda9012edffa5b43f805dde9f2a31f14ab3c2a8fa8f0115472b083e37be09c22c2a2b06a48573 |
C:\Users\Admin\AppData\Local\Temp\yMQa.exe
| MD5 | 5388495c1517d73d7ea27148c994bc85 |
| SHA1 | 7cc7827f9a377335e1f40d987abbc85d37fe6cf2 |
| SHA256 | ab2259ee0da54a6f5186f35b752cdbbd34082d5ea173f80e682c986fa9681a67 |
| SHA512 | 03af2974d44445b8d17a678b8994e808dbf0693a3c4f386914b0071093307025c5be9826161cf0075502d96dae570f368021aaa64eb9b92c4aa7e6bf19bfc481 |
C:\Users\Admin\AppData\Local\Temp\icIe.exe
| MD5 | 18fe9186288b3cffd82101b15abfa334 |
| SHA1 | 43c844892999aa4e558d6a73cfdfc3990d9bd07a |
| SHA256 | b7406cd7c39b14c643e9e19a8b4215701c295a2efe8e60b97efe50bfb58235fb |
| SHA512 | e02dc70a2551fdaad633ad4cba4c8bbcb731510b9ff0e104f15fe577e2bc23d8faab07cf831054a391b868be6b7bfa49e635fa462f7dfc1f0b5f532154256ac8 |
C:\Users\Admin\AppData\Local\Temp\gEIw.exe
| MD5 | cad3938fd3bc06ef03df87a4add9725a |
| SHA1 | 55d1d38c4f74994ea11c8950a11f3ada93029c21 |
| SHA256 | afcd8b40ab56f314938b7c1f736ec0fcedb40adff0c58be32fec1a3c35169d01 |
| SHA512 | 0b396b00afec2c56b8d879e59b200d3939ccb926f70289e7f01119e16d498aae0dd2c8bc820941c801e26ea0f7cfc7b71b63efb070088be4c72799ab97cb87fc |
memory/3432-1714-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2504-1718-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mosk.exe
| MD5 | efdb3e7e6db59b42a25c56c6f23bf058 |
| SHA1 | a5a581404a80ce333387679c092d0fa6e64b53b6 |
| SHA256 | 2c56f3f96a70f3de2e1d1a7019fce1f342e2dcff3c5407f39b2f64ce23a37095 |
| SHA512 | 2a7b2597b0f3989708a660c1c928e0de56cfa1322cec3840ebe1986a9589b96852334da3bd2111f55cb2239224446894d68104fd1dc9ae0c0783485bf6453e17 |
C:\Users\Admin\AppData\Local\Temp\ecQs.exe
| MD5 | c06d3ef9640ab2187747100e70387e58 |
| SHA1 | a4f3f5f753c5db71b0d2493ba38c6a3b1fc4f6c5 |
| SHA256 | 09a39e8b385a5a95e978aa460a55a410cf8bdff583ee16d3b21c1af648641d52 |
| SHA512 | 0fc353ffff933c620e25d853f181438bc44e7f377dc46c13d7993939079a456280242abd6a27a541f5ab3157c607c748038907fae36be15d880ce191c872883e |
C:\Users\Admin\AppData\Local\Temp\QksU.exe
| MD5 | 275e05cae49e7bc92d094de954c9dfc2 |
| SHA1 | da747835ddb152ed5059a8840cf4917cf3e30005 |
| SHA256 | 13f7f9fbded50dec7f329a8470f1c86a93248ab3677a00f8a4d1976026888b91 |
| SHA512 | 00f882abc66cbe7bec7f79db876ddb73660b3387d5bf3e559c5065a744c0e5fbe5695caeb939bde7636131248f2045afc81f4434bb0f53841aeed1e927363bc6 |
C:\Users\Admin\AppData\Local\Temp\SkQS.exe
| MD5 | b1db2493b5dd4dee6d5d250e3fcaa930 |
| SHA1 | 8a40ba00def4df9df0fcf238a244cd69bc62264a |
| SHA256 | 792c76c68782319c96c70dc42bf7c2b7809a9d2e5faffb0418d26e1e916ec4cb |
| SHA512 | 19d18129b82c5c4e9a7643c0063bd150410da7faa217f059a72a7734503c8c2fb14d9ab72f55549e6ff1f7e6fb74ccbd76f2efde8caf0099b8d49fb980bd7829 |
memory/3432-1782-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Gwcg.exe
| MD5 | 9dab30f4f49655d31d25e68863209fe7 |
| SHA1 | 7fc99247cddfeaf14bced22a11d29236067a1dc2 |
| SHA256 | 3d1998474e23fe17b92d542dae537b95ca1f4898c6936a150daa9661067d5961 |
| SHA512 | 6a25462ad877b0846f4a90461327e3f7e028a9c9c391cd5d3ff1ecc0a90d2d097c950a1b55900c4149d8a2df3c1727cedb7726940e699de99abba23eb2a40b46 |
C:\Users\Admin\AppData\Local\Temp\ucEo.exe
| MD5 | 439a09b8d51cf3d6198e700a4fef41ee |
| SHA1 | 6e57e72c26b28b1fc079fa72233aabfdef201728 |
| SHA256 | 98a28d02df2a6e0e02131584b939ffc30736db1e40d17023c5f2169b79f14e14 |
| SHA512 | 0582bd344b011cdeba29815f8ee86ed03df064b50ef7b7a346fadc0045431473cc5a7047e352d5b10da74b95304c770f65fcc601f060287de882e9eba0350213 |
C:\Users\Admin\AppData\Local\Temp\OsYK.exe
| MD5 | ff774e095180b9178bcb372a8246645e |
| SHA1 | 535aac5d4bd1cbc12f596d149ca98265428e5a7e |
| SHA256 | 1d52df8969fe28a02ed8406d49b2e98a39131895249ee1baf6009f7188da7854 |
| SHA512 | b3ede651a59b036dd181710575975a9fe46fd52a4df1dfcbe8a4bfb6bd8647eae59cda5eaccd9fc0d5676dd597bf9650e7c20864f023d044e24e8643f2e03fb7 |
C:\Users\Admin\AppData\Local\Temp\sgMK.exe
| MD5 | 3b7b9072cd3997adc4802b9474f2379c |
| SHA1 | 57556c20850849d1d2a830330559449dab78c98e |
| SHA256 | 5529affee1781c6d66c076c6fd1ef711e593decf4b875dcdaac221c7d947372d |
| SHA512 | 85d1ecc39bf89f50e108e885020f9916641ed60d74cf468f90f0add009b8541b35dd973ec78ab0e78fc629fd71dfdffdba0cc74c68c1795dd510dac78344db31 |
C:\Users\Admin\AppData\Local\Temp\cgoA.exe
| MD5 | 25dd3577d04ab34fe10eda1a581971de |
| SHA1 | d1bf8cc668282aeff4ffdce9eee56551829e8322 |
| SHA256 | 0b4823d7740cf6485c69660bbad7c5e0e1722162a137cee99239995c616c624e |
| SHA512 | f074c9163973407e8d32bf3f54af296f4267b64b522efbf3e4bae3e51119069c408fef5da21c4fda59f38645e26ad17a56dc858f7ca5f3623266d02266e419bc |
memory/4208-1860-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eQEu.exe
| MD5 | fb014d707a0250b3b0c0afe70013b7e3 |
| SHA1 | 2f173e912e0bec6f24b976be7d1f81e38758681c |
| SHA256 | c793e672f1e52cc765a9255a22316d9077ea5efc04fc5e8aca46de1f37c61540 |
| SHA512 | 5f1db45dd1378ef743b7ac6c965376583d3bdbea2df394d7134c65d14ac21051d8b3f0d090a495453642461afd92e425b9f8f6ce3a75a47e569b9e8175b361ee |
C:\Users\Admin\AppData\Local\Temp\aIQI.exe
| MD5 | 629bbb476b904d00820684eb71b33871 |
| SHA1 | a14cb4886c5590ebe665ed17df104e111f6fc829 |
| SHA256 | 1b0274eb2449868239cb531db7d2f3fcb92c3670dfc5f5dee48330906d233960 |
| SHA512 | 74478a3327b189c7a89dec8b71bfb1b5e0b71b7dcf00865378fb53cb8cd75beefbd050960e3f165df24276b34a9e7dbd1995e034e982784e2a9eaaebe328c212 |
C:\Users\Admin\AppData\Local\Temp\WUIA.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\mkUC.exe
| MD5 | 5e9ba0f4a2f6ef378cefd77ff17b76a9 |
| SHA1 | cdc4b07bedc4d41fc4bc9e77ec1ef7c76bbc7257 |
| SHA256 | 35d7dcdd0274e1349aa02e97da149548cf9d00900b1de08f422420bbfffc7597 |
| SHA512 | d5b8dc804d927eae03ccc471c333ade4a23e9dcaab0e51041b4d9e0315b4b81e243be9d9fb099bd0aee0e1fb3437a6e6fb1753468f72e0cc736058cd60da6652 |
memory/1816-1910-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Gogw.exe
| MD5 | e6222a067300310430e6428d2e804ed1 |
| SHA1 | d6764c5bd93ab747b09eee3281f13bec8379a700 |
| SHA256 | cd0a8fcd70000603262e376d649a47021283003ea24645003a1df408a9fd5e2c |
| SHA512 | 062b475dddeb8aa934244be2d7905a94a977614c52516200ef3d10ef6697eab71c1f7945c3746809c660d3be4ee59b64c22549c30785f65dd672be37269c5a1d |
C:\Users\Admin\AppData\Local\Temp\GwwG.exe
| MD5 | dfb90b09259e87cb69eb0cbf4e44f7ae |
| SHA1 | 602b21b349e332b5ebb9f09fcf12a299f5095868 |
| SHA256 | d348ca08b395c4b9f890ca8da11fea8cea18a616df2dee6f1f865f0a1224183b |
| SHA512 | bd96ab0a34aa9027ef72e7f69c1d7e970df9a8bc233ec70d3e886780ccb9c4165d91f9bcad7019149b2c5add4e762f028e05f9f0e9b8c1fe43a0c72982a8ed22 |
C:\Users\Admin\AppData\Local\Temp\UUsi.exe
| MD5 | a558b82413883a8ff40b652271111c5a |
| SHA1 | 3a1afa273e56ab850d01a94cefd899748176934f |
| SHA256 | 168c675fdb31d9c7019b979ae3c2c613f97ef33cab85ba87cd7b9c08fb532ed9 |
| SHA512 | 88eb7e3b754b86f3f95667f89977f911c6bb66c3280ae88e5f0b284433b44f16e6497efd1c0a76e422c24f9abfc8651fae478d7a06412a112a897605b5424114 |
memory/2756-1959-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QQcS.exe
| MD5 | 83e958ac52b3d906247e27c7070cd9c4 |
| SHA1 | b416097020714584b65b7f26d7d85e47356b63f8 |
| SHA256 | c07e6dbe427c0fadd8bae13a3e6827ffa3e35525fd3b0b6c69ca255d777f715f |
| SHA512 | e8a21d2bb439cea35197609b08e41dd329f12bb6f95f2ec6234280addebfc46302a17664197301f40cad6019f68a93d3bf0700550261c360e4669d33aad7a92b |
C:\Users\Admin\AppData\Local\Temp\EkYk.exe
| MD5 | cf1c6e4a6fd9425ae8d32b86935de4f4 |
| SHA1 | 2330ecb29fe2b3eed97f26f52e4ab4c29a61dea0 |
| SHA256 | c8c64aa9cd898bc47d7a6a6e25a46e89946fb521d0eee056483927bf52250ba7 |
| SHA512 | 49e7f59e66556d31e306f3a8f04fe2a52e067b85c243253d6a952ebde7342faf56653b005bc938a52902868e3154d9618c207834159f76a17aad038c81dde9fd |
C:\Users\Admin\AppData\Local\Temp\mEEe.exe
| MD5 | 212a3fcd99b12e3957892d06950e8d77 |
| SHA1 | b548bc55abbc96e3c53231e0cb68502c1d227d21 |
| SHA256 | e1a84064eed5f0922c3189685a7f0215aa1229ba0e81ae7d5cc75abca52bf9b3 |
| SHA512 | 27eb27974e198163e268e3b6cd906e1124023671edce26345acf29683eb6ff94fd4ad83034e2fca2406b9491f5fb6fde350899eeec68b78fd0f499db2e9533fc |
C:\Users\Admin\AppData\Local\Temp\IMos.exe
| MD5 | 8eb411eae20b19c8c92a515e10183b74 |
| SHA1 | eaac1d2a90e64a30c804465dfb44c2dcef37bfc1 |
| SHA256 | 9847e1be4dcc653c7e412049d863c82f9010ba7be06ef19e26f1226b6c7bc858 |
| SHA512 | 7aad05b11263cdbd5ea5b432d8561e6907d946fe00c51400fabd89e3c980747dbe29ec45b40ac71c3fe33cc8d901e7d93f580117fcc88fc8182f93634ef4d344 |
C:\Users\Admin\AppData\Local\Temp\uEAG.exe
| MD5 | a09a3e56506d0744edc3fedbea6b1467 |
| SHA1 | a1788ebaeb7f2d46d615fbadaf754d216ae4adb1 |
| SHA256 | 12d1ba4dd1a0708be505b38438fe5347da7507a9037bfccf5239a0abc9ec852d |
| SHA512 | 14a2bf8b7f1a7d3159baa9474ad4d6263f20b3053b67f9a900532a14100d5eeae0b21c837cfcec3c74677b676c86c24c3a835f68d5d4960ae578dc3ff34ad943 |
C:\Users\Admin\AppData\Local\Temp\uYEk.exe
| MD5 | d7f3c60ffa8cf478f5cb8fa79b04eba8 |
| SHA1 | 1e6e7c0d8210feed4f2fabbd89b06c4bfeba6f9a |
| SHA256 | 66d5a1d8830a69838b4e0d1b0fd418107b1176836fd1341a2c170a73379fdde7 |
| SHA512 | bd40fb98084e2c8be5ca67c8648def7d1ce40f9293408ba933d220b69b5f4dc59cfef382c481819bea74054df512c926d365a8e997094a2c366aec4dc55c549d |
C:\Users\Admin\AppData\Local\Temp\SIUI.exe
| MD5 | 16b42e24c3ae0d104430b924ed68162f |
| SHA1 | 5332906aa83caa6b1a3f0c8e65ade65e7dfaab97 |
| SHA256 | 2d012d2faa0b7f6d781798228a8fe1afc1dc979aa7846ecc4075841242e4d102 |
| SHA512 | f1450b4a8b4456cceff9f8a2069bca2650cb2b358583514e3e895f50c4ec4f916726971429cfa02b81ff5f40566b120118b214c986bbca094b2ce5bc15d588be |
C:\Users\Admin\AppData\Local\Temp\usIk.exe
| MD5 | f55fa5217b3de9834ac0d0abf0502170 |
| SHA1 | 8ac1f14e1d93ddccc9e76f287287da04052d0725 |
| SHA256 | b3b7ee775b3fbce68ffb7e678a00a5c721424f6affbbaac98720e46295731715 |
| SHA512 | e21571e4280f12e37648d3fc2b96e138222ee395b7d4309d6970614e209db2efcaa55fea0001cbdc6783648907dbda62d002c7ac8f838105fcf59404d94f6c98 |
C:\Users\Admin\AppData\Local\Temp\MMcC.exe
| MD5 | fe282aad69e9ecf65f56af91e29c70a3 |
| SHA1 | e30cc70737d87ee27783045052e40a09089f6174 |
| SHA256 | f544c0fc445a6a65bf9f8828ad424d1ea531e95629224dbcf5c968089d78fe15 |
| SHA512 | dab6013360f8010441bd43621d95e6a20b4047d0506c72ae3946fba70bb8952a3d565cda47768384e1452cb961dff0bfdbd29fffac6ece683fe4f3d5ab82f726 |
C:\Users\Admin\AppData\Local\Temp\WUQo.exe
| MD5 | 6b1ef3b65996fdac882302228f0a4058 |
| SHA1 | bfe82392d63f12a9813b1e3ee1cd27fbdc9241d2 |
| SHA256 | 7d490e06daee3cd93d52bd0c0c9b0be1a03667640f31635ad218f12cf505e6a5 |
| SHA512 | 8e1c1e8b8d741d6c6e228fdb82bc353faed45ac79606c7708f193c0a3ad5f87dd58aa7411bbdf95c0788a2f7afb03ad8edaee40f9358784e009bd00b1ee19107 |
C:\Users\Admin\AppData\Local\Temp\gwYE.exe
| MD5 | 1395fa803346318a2f84ac42338ac134 |
| SHA1 | 0220adcefd7c163c1b34fe5164c942f88b518874 |
| SHA256 | c6000beb2c3eb33be75a89300fdd6d356d1a06e66f2542b931c8588e7c644ecf |
| SHA512 | 19d4c77a5e9baeee9cf5a9c2d6d8be4bcab2b5fba255c9387a49e047556bf24714b1bc1feb242a687b0cd532ea9c9fc2ba9feb10bf93055b9902e56e3eb6ef4c |
C:\Users\Admin\AppData\Local\Temp\eAok.exe
| MD5 | 7870340642c327fedd67c501f26d6b2b |
| SHA1 | 49696c71a21edd1897e1c29cd46defaa42abb033 |
| SHA256 | 92ea4f84a7f31b7dbbb7d209f92f260a060cce4303b2763c157957a459f62eee |
| SHA512 | 49d4d1d40c9762f1c3072048cbe5444ee32d5da0c1110ed50b61d1d23f5cab9fdd2fe39e21b46bfc0dc80726e64b841f27fdafa97078b6a5f89be3b3f2fff7f7 |
C:\Users\Admin\AppData\Local\Temp\Wcwi.exe
| MD5 | 775bd0c66508d05acd8b7d34bb2f3054 |
| SHA1 | be17450d716512c2c29c41759612a6e881796db8 |
| SHA256 | d628102da0b5578a6cdc57d1c689d44c3d15ef1b777da8a04517035bd016ab84 |
| SHA512 | 5e09d13dd0328092ff813db321fdc5b6c5dc1fafd7fdd18cdcb8bd3925e05de6490b19bb8c9142505028725ba15ba2a5f96b8dcdf80314a0b3d64ca4db179800 |