Analysis Overview
SHA256
3c17e906d9149bcf28712a3037e7dd455f7ac0fc159c2f61a2130303c80bb6f2
Threat Level: Known bad
The file 2024-11-04_0048ee167026646b746be0135974898b_virlock was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (84) files with added filename extension
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-04 02:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 02:42
Reported
2024-11-04 02:45
Platform
win7-20240903-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\ekccwEoE\PsMoQcoE.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\ekccwEoE\PsMoQcoE.exe | N/A |
| N/A | N/A | C:\ProgramData\CgwsgMEc\BqwsIgwE.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\PsMoQcoE.exe = "C:\\Users\\Admin\\ekccwEoE\\PsMoQcoE.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BqwsIgwE.exe = "C:\\ProgramData\\CgwsgMEc\\BqwsIgwE.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\PsMoQcoE.exe = "C:\\Users\\Admin\\ekccwEoE\\PsMoQcoE.exe" | C:\Users\Admin\ekccwEoE\PsMoQcoE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BqwsIgwE.exe = "C:\\ProgramData\\CgwsgMEc\\BqwsIgwE.exe" | C:\ProgramData\CgwsgMEc\BqwsIgwE.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\ekccwEoE\PsMoQcoE.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\ekccwEoE\PsMoQcoE.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"
C:\Users\Admin\ekccwEoE\PsMoQcoE.exe
"C:\Users\Admin\ekccwEoE\PsMoQcoE.exe"
C:\ProgramData\CgwsgMEc\BqwsIgwE.exe
"C:\ProgramData\CgwsgMEc\BqwsIgwE.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMQwAMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwoAAAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCQUsYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xsIsMYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyAEoswM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAMQssks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMMMckMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uaIsoIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tEoMoYsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeUUMUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIckwgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOAYcYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmQkoMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQUwEMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KsYcUYsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGAkAggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqoAMgYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUsQkooo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\liIYMUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PusYcAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkMkcUko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QqoQIQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oegAQUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgUccYgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEUokIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dykosQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUIcIUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BeYoYwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VsYwkUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wEMAkYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1152699446-225489920-160263440619160776707148176831071960719265092953125757553"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YewYgUUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsYYggwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cowQgEAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGgIkoME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1110834162-7775919-434209221-19712775571725990863-309356112-452373675-1994183479"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmgUkkwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqQUkkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nOEoQcsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1044627975-1336906329182525901820783766059173961053339799301073652738106232463"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsIssUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IGckYYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7366060021492938547271382216-155759699-1624790695-1734328765-469359512672886867"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gkMUwYck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAoYUUwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4036379621613526456-5109707421590299967-9761364242139096034-1951334892884183828"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PiokEMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pIUQsoUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-815483612-31281271721308594521721721541548566373-5340560701225512470-1676807289"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-101603612717714526422099974939-134088752-626859888-815434516141875171964927757"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DmIgscwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1942668385246665526298106580-513548416-1609542498197825998611359168321403509076"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykQsQsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16582666097166232181880578508-750518612-597692471947101342-46697316761881071"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiMAAAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qMwYwMYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ygskkcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCUMMswY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYcQkIss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCQAAIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYgkokAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWQcgEsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WagQQUgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wuEwwYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AcgEkAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tMAUgMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwEUUkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQkIgksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwgkgcEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiwEkEQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkEgYwYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.200.14:80 | google.com | tcp |
| GB | 142.250.200.14:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/1836-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\ekccwEoE\PsMoQcoE.exe
| MD5 | b5b4ade29b33f6f62ed9db062a7eeeb6 |
| SHA1 | e6db49403e03b8b04f3d14ae14d9fddc9e6a84a8 |
| SHA256 | d6aac02d9d188e6b8e3f932069a36c92ed1222762460b67c14ea18d3750970df |
| SHA512 | aa8d323a975174282ae69d940a82906ef6b2f22908baa697feaefbabaff003fef326688edc830cb96951267ff3b27a7adab3c89bd74ff09a1e98504c82efa3db |
memory/2380-14-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\CgwsgMEc\BqwsIgwE.exe
| MD5 | 1ecd9a2d2261066908e87a5ecc522421 |
| SHA1 | 8e9aa64a0f591898a37330025d5a87ab25ca7953 |
| SHA256 | 364cc6ea4da2306267a6600157c0bc68ab3f3e3590a13d5df334213ccbb92404 |
| SHA512 | cfa580ea73434297918c7499322d18f9751c1949a41e99bdad84a66b8a1c6b4649d571484bbee05940d42058dc2e510d63f22c987171fb75c894e70d7481a9b4 |
C:\Users\Admin\AppData\Local\Temp\WgQosoAQ.bat
| MD5 | e42b28899be0d1c5dc64a97b5b2479d1 |
| SHA1 | 20622cafb39c13729b18fd4441004229022e9fae |
| SHA256 | b28277c6ea487ca99e239573f1d1e72c17eefd4eddd44aacff6829f422dd1202 |
| SHA512 | 21b34cefc4cd5e0f129a4c2d8dc25ee9a8821e9902f384260f199d91f1e305c1fe4e92761ff753ecdeeb499e46b04b7b375d16a5f780f9f8661b10cc0f3a92ad |
memory/2484-31-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1836-30-0x00000000003A0000-0x00000000003BD000-memory.dmp
memory/1836-13-0x00000000003A0000-0x00000000003BD000-memory.dmp
memory/1836-12-0x00000000003A0000-0x00000000003BD000-memory.dmp
memory/1312-33-0x00000000005C0000-0x00000000005EA000-memory.dmp
memory/1312-32-0x00000000005C0000-0x00000000005EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hMQwAMwc.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/1836-42-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\RWkYEkUE.bat
| MD5 | b5953b08f3c1ffdfcda146f30ff62a09 |
| SHA1 | 1d922aba7c85a0a3adbd5d26a26271f0c8280df8 |
| SHA256 | f4ef077bbd90d0a6b678289e17b7dc8837751ee92eb77424aae31f803e36c5b6 |
| SHA512 | 0941134baffefebaff94569b37a68f00e4e06736866991674a189108b9887eeed8cb0623213bf0b6ebe09e99414fcad6ae990c130407b49df996513bb9adf5dd |
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
| MD5 | d342c2b5f3d16dc992db22cb737ad617 |
| SHA1 | 615a98744fb22809454b706174597a4d6b6d128b |
| SHA256 | 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486 |
| SHA512 | 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7 |
memory/2664-55-0x00000000002A0000-0x00000000002CA000-memory.dmp
memory/2344-64-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JIwcYsog.bat
| MD5 | 3a6570c122e1819b0d9ae1b435e3fc61 |
| SHA1 | 8bb9d8509bbfed71df68a68a4097151f6b8cbbb2 |
| SHA256 | d8dcef5aefb4f8d3710d2a9af8af4279b64956b23ce5074d52c71cde9fd302c9 |
| SHA512 | 026ece0969f7cc0ffa6e68677a2347a9f3c2d44552b5a94fa6649b39bffa00267498285e39bb0c4bba53087c411d48babeee72d30ab24de12161248cc457213f |
memory/856-78-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1120-77-0x0000000000120000-0x000000000014A000-memory.dmp
memory/2784-87-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\poggEEsk.bat
| MD5 | 2bfa073912b4284316495529964eb031 |
| SHA1 | 5dd255c34fd6dca8c582ed45f5705ea2cc1ede2b |
| SHA256 | 5861a07c6e67aac83e8c661d2fdfdbda41ae4a2041141c359302a729c3d8d862 |
| SHA512 | 340dc891d0af0cd77ea9ef93c7ff4a34135c10a73fb16eef97270bca7b0c74542a390eba7bfc2ecc09eaed8542a92efd71f2f2e74f6998ceef623bf14660858e |
memory/1140-101-0x0000000000120000-0x000000000014A000-memory.dmp
memory/1140-100-0x0000000000120000-0x000000000014A000-memory.dmp
memory/2372-102-0x0000000000400000-0x000000000042A000-memory.dmp
memory/856-111-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oEwMYEwg.bat
| MD5 | 1b3574a89c1688cf415ba2670f64f694 |
| SHA1 | b608aaf84d13542e858f8be4841343c34fe99921 |
| SHA256 | 827fcdd2a0cca8b4233289d10a4e135fad5f6dd8d2b30662a122c9f35492c18c |
| SHA512 | cb6d5c6559a02ad7bb93b3ea602deab18e0be08c7b5e3b3b1b3d2162463014df434a163e4c8a7d6d6cff4dd431e2abefe81176dc3edc34ecd43cc2f27c17957f |
memory/792-124-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2372-133-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gCskMEkM.bat
| MD5 | 1fcc8d821ba5790551035cf70c8dbec5 |
| SHA1 | e48a09f04262be2725c35be40aa223888b774215 |
| SHA256 | 795ccae1e57ba2b98232f585e00d5db2a08b68c3504ca96dd449d3899e3d8fd2 |
| SHA512 | f578b7781cb4c720c4acc08a0d6acccc609f79e6cc0e0786a89813c7a290fdc141962c4ade365b750a35090b21872e417f4adbb4127aa8cb181e0cf8290f2a6f |
memory/1604-146-0x0000000000400000-0x000000000042A000-memory.dmp
memory/792-155-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QYwUYIAQ.bat
| MD5 | 33336696090fedef9942cf7f1a2c178d |
| SHA1 | 29d028cc52bba721efa39cd4f171aa9a6679193e |
| SHA256 | 419985f5da87986e3a3a41ddf5b1af6a96b6ee7e4c1771251629a3f8bdc9f4e4 |
| SHA512 | 689820129a70e986afb3cec1d1d5ee3bd6bd8e6a53eaf2e8f564a791fed27d56b916eddd6d5f11e90c4da05e320804a03dbcbfdcf0e1e331677d4908c0724777 |
memory/2772-168-0x0000000000160000-0x000000000018A000-memory.dmp
memory/1604-177-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SgkUgAUQ.bat
| MD5 | f365b876f5299a7b80d34591cabaa313 |
| SHA1 | 97edadc2bce5d96ce20ebd84cea29db80d44bb5b |
| SHA256 | bcabdf9d45925bd03c419bdc11029fbea5c57ae2f5ebaf236509836dfa2e1c7f |
| SHA512 | 52bb1d019fa7bf4ad15e430d2e7cf773153567f655859ee22999cf885de96d256f1e702071dcfd5907c5a1a1bb466caf81b862fbce0cdcb7cafde31545626b60 |
memory/548-190-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3028-199-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dqgMkQsE.bat
| MD5 | 8811cd2d46489197da46f575e589c008 |
| SHA1 | 573504f8f8cd84af2ececdb90b412e2cf3915538 |
| SHA256 | a7e26f29a5987ed5a5a951647e6868066b894943d0288f2083647574f84c0fa0 |
| SHA512 | 2b75638249275619c880959189d457d831be601c96f4463463fa190c9429bd5c9e575afff0118409cb85427b395945de3049a5824a7ba07f60156e9473667ded |
memory/808-212-0x00000000001D0000-0x00000000001FA000-memory.dmp
memory/808-213-0x00000000001D0000-0x00000000001FA000-memory.dmp
memory/2120-222-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jqYAgowQ.bat
| MD5 | 063eec28510861ef308fdbae49615d06 |
| SHA1 | 61a6efc6b6cf7275f45e8eace48555632db1e000 |
| SHA256 | 17853cea8312442b9b853be911dbdc216035589c1579826746b8c4d389adca7b |
| SHA512 | 742b6e8a51bb2cb66ed6bb50d25a2222318ddb0499eb525073318e9ff987e9fba432d081ec17a65fa3fd68874a754daff8fb44c6f7f657b2f28470289bef62d8 |
memory/2544-236-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1120-235-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2340-245-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dQMcIMMc.bat
| MD5 | 5770226ae210104827351f49c37e12a8 |
| SHA1 | e8f9bb45789bbabc6901164a9f1a9d7bc9d4a6f1 |
| SHA256 | de89c7e3e27f28253ccaa181f2e0c1539022b6e960fa67c46e9be7a312f38d30 |
| SHA512 | 3731fdad58631752f3a94906121595c8fe15c8abf55ef772805699546707b6f1e6b1139cb033e3359c91d797dc457ebd4f24eb4519c50fd58f38c7305dc2130d |
memory/1292-259-0x0000000000170000-0x000000000019A000-memory.dmp
memory/1292-258-0x0000000000170000-0x000000000019A000-memory.dmp
memory/2544-268-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tEQsYQcU.bat
| MD5 | f59ef76f9bae1916b14ce71401a2f563 |
| SHA1 | 3c70aa699da69a1e089ae64c4689e4a25275ebfa |
| SHA256 | 7419ca2a1a72f260b0decf2bd2731c168ca6a7dafc7571b3957923df3ce3a050 |
| SHA512 | a1e83db593eaf170a25cba83f588991d529371cfb449fcf94d8164036973e1e07ea4c9d63f41fa4789f7347c70bda6e011c6cf833b642ebc2df03d861254985c |
memory/840-281-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1960-282-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2600-291-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wAAgIEUI.bat
| MD5 | 3fe768a28eaa7e9de778d2009339d289 |
| SHA1 | 6d6189b1d6044b2943299a67ee4424daf56df72d |
| SHA256 | a1958e69d6faad0ab9369e93544681ef11fe75f51c268736359044e4249abe95 |
| SHA512 | c924aa8c77520f446f770ae0083aca7b8eb453e22ab108b0adbb636fe9518e7b213e402b031eeeb2b5119e0cfb0c4bfc1ad1a560e9c1326a9f25fa7ff4717c0e |
memory/1960-312-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iCIYsUUo.bat
| MD5 | 4c47dbe3af2d407fe88470a657742baf |
| SHA1 | 5226c6b799de98f565e0dcb3617223057a7e010b |
| SHA256 | ac56f5e815d5e32d1c6a7b47be3a356be8d1da3614d4c42295ff22c27f0f43df |
| SHA512 | c3e93cb0e5a341d25f1958f993583d536d9ed7e4a9b20747fd481fdf4715c45fcb487dd79adb73c9db05be21281c829f16e438cbb20c84dcb8147f2df0772fa0 |
memory/288-325-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2620-334-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WgckkIwc.bat
| MD5 | 5d100fe60521620927c3eebef62f3f3c |
| SHA1 | bd0a897ce9a0b14dde5764f4169715ca3a7b75cb |
| SHA256 | 605190eea6fbafb4a5813ff6c0dfed8f8a7a6f038b46bc636bca787e60e6e4d2 |
| SHA512 | 49d849f0bf01cd2c8962404f19dbbd0a9efcab86b3c9f7bad030029cac5bf5c5e41fadb2627008ed3aaa143865b91e1682e6ae171259e6110b87d097fdf666fe |
memory/1804-349-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2076-348-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2076-347-0x0000000000400000-0x000000000042A000-memory.dmp
memory/288-358-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QkgkgkQM.bat
| MD5 | 100c1730207d26ad4939f68bfba0fc61 |
| SHA1 | fdeb274421c8f2644b3a66f6417674b7f784fb22 |
| SHA256 | 4c3d7d23f30d32ad1c0338c7721bfae5e4d412f4610612c1223bdd38583eb0c6 |
| SHA512 | 77563b100a3a0d569b4799f5260787ab8a032b4c9a26653ea889f6298620cbca11a89ddbcbbd3922f964f0db3163b8df81c512ac7da82ac88c78a6b0534fe316 |
memory/1956-371-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1956-372-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1804-381-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pwAwcQoc.bat
| MD5 | 9775b50bd438092100130dd52bc38f0f |
| SHA1 | 2a41d83ee6e04fb436c9eeb152d7d504d4e9030e |
| SHA256 | b1c5868a1e1974b21e91ce5c2bfb16a9308e32b7f6741f8262b5606e572e635f |
| SHA512 | 2259a24376f5015d3a71f68510e5ef7f8f1abef8454c80852e0f361c6868904335634ed15c86fecd474f747a88b11fc9f09164dce85c2d9726f72fc9194ba893 |
memory/1508-402-0x0000000000400000-0x000000000042A000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
C:\Users\Admin\AppData\Local\Temp\RSMkwsAw.bat
| MD5 | c7a3e0dea504ca6bb8bd003b1dcf772b |
| SHA1 | 618de61188ccaa5aed7286ca3190a2531bc5e9b6 |
| SHA256 | d2e5b48dbb3d52c88ab574e638ec6f584f55c9a346a1c81f45c07e4bd63b6648 |
| SHA512 | 5bd41f321043d5f4cb167c352fcf4eefdc5e1868a6026e65948a34fe568d7ae9df5111c72f6fc1950da01d4e4a6092624931cfe98f9409220af43ac20017a3b4 |
memory/2072-432-0x0000000000400000-0x000000000042A000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
memory/2408-431-0x0000000000400000-0x000000000042A000-memory.dmp
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
C:\Users\Admin\AppData\Local\Temp\XkcIwUYU.bat
| MD5 | b1246f1696583a65aa403380f08e4a22 |
| SHA1 | 87d37229331e93d15dfa2c203d0c63c60e4c7832 |
| SHA256 | 597505c694313c6b1b097c02c1e54d9948bad931fd2ba735b50d120a1340e5af |
| SHA512 | 919808c2415f1473d8d115aef7a1f1e762624bdc418e1777a58c42012d2bdb1caebcc0118f483cd4d716683db5bc324760d8e6b16a72d4a1539feccdd693c51f |
memory/1156-442-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CIsM.exe
| MD5 | b1a9788e78b31eeab8d39b6ab3c2bc17 |
| SHA1 | 03759495a4143b1393a56d3ef3b499e6d41081f4 |
| SHA256 | 03d43205b882bf9326ab0f94061b2fcd17774d63af63aa469d93ada9c3916d95 |
| SHA512 | 1d2d6c10d8730dcef5772e142ded1d01509d0b787fd711f5d0c2a829d20371c04fbad0eb3625ce2b240965c4453d2a428a44d12f6cfc9619affa3c6158c84cc9 |
memory/2944-457-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2880-456-0x0000000000270000-0x000000000029A000-memory.dmp
memory/2880-455-0x0000000000270000-0x000000000029A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WYkK.exe
| MD5 | 743a9758c792b11bd5e495040b32df78 |
| SHA1 | 904d04a3a2aa9cf9d1d8e0fa4c26c399a51bfb55 |
| SHA256 | 92a99d42ac6c218adc074cc0cb218d90ae06778ed7420fca8b53fdc2257a19c4 |
| SHA512 | f0bc9e74c9cae8f2f7f7ab21fec02328d7c51a6fce6a5798275f2f211b5da3a99d051f624c19b5448945f86826f6455bd6e958926dfd64d6e0b4fa9f4c24003c |
memory/2072-466-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cUcQ.exe
| MD5 | 59459312dc812bf6e09d7c29f3b231ae |
| SHA1 | eb85a635946a7c164571172d1c1f7d13494d3112 |
| SHA256 | 13e73a2c3e478ee76722b5f401de759d8cc49e7da5f23900122d59ac98d00f6b |
| SHA512 | b8c7a48cc3a3a468fd188b14f7ba92c31aecdd6ea1d3caba9a2678442c2e0c13871adde395ab383abc7661b4207905e885d89eb0fca1fd313808763db1b53d1c |
C:\Users\Admin\AppData\Local\Temp\eIIe.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\assO.exe
| MD5 | aa2ce16fa5ca0d172a48bb8274ad51a6 |
| SHA1 | 18a2366ad48d105308659032e7779ce36a157630 |
| SHA256 | 618996a94bc2991c487ccfb00ed4a98f1dfce33ca4cf7f5b0291c141c771d177 |
| SHA512 | 2cfdf8e3790cc0add3b7d5dca84812b038200c5890e5a77cf2b48f177d599e8b6238c241e5ccbadd954ffab680ce71c42b508779f7dea515de28e4596c299363 |
C:\Users\Admin\AppData\Local\Temp\RYsooUws.bat
| MD5 | eec9482504e229454f3264b82115ea8e |
| SHA1 | 78b3297cb89497c0276bacc21fde58168e4e7a8a |
| SHA256 | 8b7204df2f3fd47d8d1263cddff179c4d6110037124992757e41a99b219a2d4a |
| SHA512 | 04783cc4d833cca479d8770edcb1b7bdc6e6cd39faa6e6c5f425a59dcca2f298029d73f9e4aa9b8aba580a955044a4dda9026f73b38c0217336b33bb0d6bd2a1 |
C:\Users\Admin\AppData\Local\Temp\YEgu.exe
| MD5 | 2eff96db2d18138676a5626e0df36a19 |
| SHA1 | d7cc72d50c16a3e3c68bcd553247a87410543210 |
| SHA256 | 6ec7d67db2b6cf91db52ae0118559d1af1625e75fec4951a93b6fe2865b3ec99 |
| SHA512 | 7cc93db89bbb66159120906700710209af34d7a4e667b72679b7801ce21ebb2cf3002f74b518b509c010106512856bc37ff5709aebe308bee4880f2352c0dc9b |
memory/1012-528-0x0000000000170000-0x000000000019A000-memory.dmp
memory/984-530-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1012-529-0x0000000000170000-0x000000000019A000-memory.dmp
memory/2944-552-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YIsm.exe
| MD5 | 5be2a7b19c0b3fcf84cd798c45e70bf1 |
| SHA1 | 0be28ecac4864a24211b46e27d797a1b37f6e0da |
| SHA256 | 92f9e557925ea042f6035dec6327bf6ce6811dab9c0528806f932408af1c94bb |
| SHA512 | 81d5c44d63b3423bd7cfa6cc2be0e88bf45da904abe5fe5364ce3551e0042b592e77adb489b6058d69909c211e29c300202e98ae59825be2fad7d0660b84ab9b |
C:\Users\Admin\AppData\Local\Temp\wYoG.exe
| MD5 | 7554f1f5e5e6d08bd939060680d8c1f2 |
| SHA1 | b5df3ca1ebe1460c0494b8080c42fd1d27f26d58 |
| SHA256 | 99cac0c64ae44ce8671d47a92a8849a9009c1bd5f28f3f24a90196aafd19fd26 |
| SHA512 | 4bda5ef7b37b9f2257c71436437a9a0af7908bae93dfdb07b290f63109f83b6fbea21e8268978eb19cc7f485575afcde8cbdabd6e75743f2ebccd0c0c952ca42 |
C:\Users\Admin\AppData\Local\Temp\kEMA.exe
| MD5 | 99469053da5b831636dbef445c404965 |
| SHA1 | 14b96c27087e358eed78fc2ef8afe7e07448f4d9 |
| SHA256 | 8692d0ee179f7624d3bba7fd0e58754ca41b3a1a9fa33999acfc025112194dfd |
| SHA512 | 81a957cf536ff7aac99479ff3b4d0a59eda4da5b4ae940966b8001a5074ed99d47299f1d64ae90a09ed1317afe8f4ed3082fba646c2df4b613c719e99841a1a1 |
C:\Users\Admin\AppData\Local\Temp\kEck.exe
| MD5 | 2ec11c9e86e63564ef5c8deab65019d9 |
| SHA1 | 887f84c9bf44cb7dea7a7da4f7836ecf44f12bf7 |
| SHA256 | 71ba49018b6c708fc0a5d540196c6163c9fdaa1d29df4d99892c198499b19d19 |
| SHA512 | ae220d56c8014915a156a41d4ee4d36d3e8bd5d93485eb10bbdc5ee7cb094cf20794650b74e05ac47df71676d53ce9083e92b634f314fd40703489f0b55828cb |
C:\Users\Admin\AppData\Local\Temp\hIgkckwY.bat
| MD5 | d6f9251b5045d394b155a3bea2253e6a |
| SHA1 | 5b193292a61c25f7e83de1135a50e882aa73b232 |
| SHA256 | e0dcd79bfdb1296c33f239dbc0860cf875636b8e5a5df20394e156d0fecfcaee |
| SHA512 | aa54dedac261c1eb4bbf952ccf6a152912873a66364be69693be30c8bcf30b77fb819ea8ce3eea2d9f9a313cac2173c5321fc4f636c682f14043b52e3d1c621a |
C:\Users\Admin\AppData\Local\Temp\EgYK.exe
| MD5 | fa22380ccc69c9b33a418b70c2718c73 |
| SHA1 | 9c2fd05adbe0051981105c1d2403a9dd6cb9f993 |
| SHA256 | 28b64619b703fb4817b8daa205d731890d8afcccda55e9d5cb0162ab8aeca920 |
| SHA512 | 34a2d4ce537d4e70cb2baca7a9581d5e27a2a73ed0a889455cdb1a6dfa5e1fe683a600fa688fd5ad1b3e6cf0c5768c4c1da184a1560d39b87618ee5fc7bef0b2 |
memory/308-627-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1556-626-0x0000000000400000-0x000000000042A000-memory.dmp
memory/984-649-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OMAg.exe
| MD5 | 38060d6c1444c47d39a291903c0a0e7b |
| SHA1 | aea36df8b02450cc240db6d88b678b05b0a5ddf8 |
| SHA256 | 02c8b9d437a4ec03d030dadf0ac58ff690696c3e1119f49e8d6aebfe9505dc4e |
| SHA512 | 91eff4b7145fda5ee19576c49561c850d117f87bf526ae4ba18ff0600add37f3d77a99bc8470677748f5577b5282c0795bf430134cc020b01fd3f9544ffb090f |
C:\Users\Admin\AppData\Local\Temp\coIk.exe
| MD5 | 370a9ede5593b175c7c65688b9cd2c86 |
| SHA1 | 26498d1967afffdad0321c2240da1dbe9ef398c0 |
| SHA256 | 91e7a483844ced00dc95535cd47dac2c1a65a434803563e8ec20063394b81163 |
| SHA512 | c27ae7d5b93372199d63c6bc3cedd9534649ecafbc9c455d3c00996d7d9c5a3156043d14bce48baa11dc5c80fa2770061c650d9a8f3b712b1cbcd5120cca30ac |
C:\Users\Admin\AppData\Local\Temp\qYEo.exe
| MD5 | 5b8cdf7be3f2c8a0b3fd6f537283d280 |
| SHA1 | ba84e6266b9788f04861f6c34742941362f054e4 |
| SHA256 | 0629b04a5af88bb34a9ab5d6b5356ed9011ab2b1febd0ea8ebf43cc608831ee6 |
| SHA512 | ad066ee5080f9c84650be3102341ee0b85c5a4d534dc35f5e1c3d64790b255beff92a53fd331a882031055e1ad0403b9a94ac6821e8193d7e5759f4afbd3910c |
C:\Users\Admin\AppData\Local\Temp\QYsosgEU.bat
| MD5 | 4fd909e183dff32b8d1cb3dcf2100ada |
| SHA1 | ebda17f304dbb4961700ce1ec26b4a9d31ac1356 |
| SHA256 | f7d6a451ea51f279a2e76e83c30e3810cae5cc76c5c272855e1df48b2b3a6356 |
| SHA512 | d6b2f8ea0f4e47827bcdfab8923e24d6c0c8b4462a4893a660ca1b06a0a0d79762b828345a264c5f8cd9fd64173ebdaea5aabc0696148577ad08c9da7d8ea9fe |
C:\Users\Admin\AppData\Local\Temp\GUQA.exe
| MD5 | 83624d4ba220b9f773a4d31767798570 |
| SHA1 | 893a31ef153da2217787de18db4d0abe97136331 |
| SHA256 | 534f8adccdc1b57b9291a9b045ebfb242154311fb21400c44244154b7a00a5e9 |
| SHA512 | 9e4d256ccf642145974c815b43876d57afc393bb9ae017830794497ad8b7c13cc062c02500093587726b6d03b1118e067d0b78ad894bd58af8a717c1fa99ce07 |
memory/2784-700-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2580-699-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2580-698-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sEUq.exe
| MD5 | 9830185ecc3de4e3bd126c47d372853d |
| SHA1 | a91cc82dd9a95d7477c64399e76dd45e1e3fe628 |
| SHA256 | 387387f063c01120f156eeda8eec75c0a51c55688afeabfeedfe7f7feee85586 |
| SHA512 | c70bd1ec7b2679632f7fd9a9bcf2b178b157c9e4398e9380ca97909080a361581a6f4e7b779c27b4abd991464c0467f47e531363005aa2a2665cbd4ffe7161dd |
C:\Users\Admin\AppData\Local\Temp\EwcK.exe
| MD5 | 6b1514d235d4ef2c26723eda234494f6 |
| SHA1 | 3fb5bf2a4bfac029b9b2cb1de8131967d5bcf09f |
| SHA256 | a5eb64750a11db577c1fb2a0c47020ea559aac9c850bca068a4504323a8cedd4 |
| SHA512 | 46f60cf5d4cbce20c3a2bf6ce605e848d8eb4836ac30d3eb512320a7752d129f4e686f2fedc513d7f6518b9a084360b0d4209fa8ca1c9e17d3e509ddb4583a93 |
memory/308-722-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QEUA.exe
| MD5 | c77a7ede0ca73b6e6494f9663656f87c |
| SHA1 | 74e5e23f1e23068776286c9a4e68c50204c587e6 |
| SHA256 | 800f34ad23374eea9142809accd44c28fb569aa76019328fd5ac7e12e159ac0c |
| SHA512 | 0cc951c91ddade2369fad999bd86f743fdf8e4fb356f1683b0abc998b3cf11ec594d669e45b2fab2cc95def92f7937dce3945fa6488598de38646897bdfbafa5 |
C:\Users\Admin\AppData\Local\Temp\eMUo.exe
| MD5 | 260d1f3f39c0e345f47856a79ef2f2bf |
| SHA1 | 509cbefc2032d99e2e4880909fc09b2e52c7b8c3 |
| SHA256 | f011a3384fcae43ab082c89a36eda3b519d12edf8b970592a5bb39b7196b95bc |
| SHA512 | e5a17724b746f505735165b1caed6e71bed225384d36762d7a3355e264534f439d9ad916251577357252d2b984e33fa2386aeae9327d19346643646d690b9a8b |
C:\Users\Admin\AppData\Local\Temp\cUMW.exe
| MD5 | 14369ada4b59552c9b5427cff5bfad61 |
| SHA1 | 171cb02a78466be1a4f46cf986d26195ca0717b0 |
| SHA256 | 8eb3f209be9eff37a4e5cc85b58b34ccf3eb27ff99da5ebcd9a6e7aec403b5fd |
| SHA512 | 28043abc646a8d591d06ff91c2f49b3264fe7f5d5f60b210811648fcbab358254ff2560579ad284fa21107337b3d371229f8ce1aa9fc9161b52cf8cc7954b918 |
C:\Users\Admin\AppData\Local\Temp\aSEgccko.bat
| MD5 | ab4aca6e55ac26312a148324fa87c63a |
| SHA1 | f562ded6309e77758a80901e7b0db009eed061b3 |
| SHA256 | c75122e959bccc838d2b9dc80b51c6b6806707266495093053d64be76e719797 |
| SHA512 | 399931228b22bcb33f3e42019dc4ba60debe7054b93ea55cd0f05ddcbf6bbc98b8a30ff4832f119bc61b3eb5cc1d9cb3bb5efd34897d660b84bc1378ca16faed |
memory/964-784-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2784-807-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1772-799-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UYww.exe
| MD5 | 9bb1068745b3d8bd1f243866f3a01c99 |
| SHA1 | 67ebae2bf1815a9c37d38960cd3df0ddfbf145de |
| SHA256 | 137a8d2ac9c970bdb2f0655ae9e67fa9fa5991cff21b979a81f53408f8d4dc54 |
| SHA512 | e95436b95e8027ad17efe8999b65d1c16c00ed5a553fdd61b80d6cf8043a11e0f0d0c0eee0eca0424dce16c6fee36c5fe770f07d0609e483e39f266e946f93b2 |
C:\Users\Admin\AppData\Local\Temp\kEUk.exe
| MD5 | 718914c7f2baaa401c2f041a08a71190 |
| SHA1 | 9c9f8437b990c7af348cb74487473763de210570 |
| SHA256 | e1c5867c64c9125d582074cf0b68a7e4d1f1b1c30c39b7646f2bc141e3541639 |
| SHA512 | ff7799f2169edbbafc6da2428fda989d0075bd79d26797cf71805b775c8a35d17f96b779d09be2240f0b75ad486dc2df889613d7aeb527efa356f8f9c72b029c |
C:\Users\Admin\AppData\Local\Temp\CUUk.exe
| MD5 | 1d71e743e047f075b3979a10ff0251f1 |
| SHA1 | ce932ecd3af192f3d0b98fe84b16f07b14f3adba |
| SHA256 | beb03d54c5f14063f392804e6cd1983ac13cda4a1ba2f30ee3c9f008b36de951 |
| SHA512 | a0e8be80324997e7ea74be4768b9d4e209682cdda227aae689cd29740856b87447d7c3581129d92d4a6c9c189ef0f814215e6a9cf258fb4053bba134ad0a803f |
C:\Users\Admin\AppData\Local\Temp\oQIQ.exe
| MD5 | e0d0526b3411ab5474c0d9814827c12e |
| SHA1 | 0a83fa0fac895e477930b5dc0ad98a09ee1eaa5b |
| SHA256 | 3204384fea1af354f48b8f011a6b63eed6eee2f626f7cc93faa1fe6dd7f037a9 |
| SHA512 | 0b5bd948ef4bbdb610379a51127b8fb432b9731d3f6f90a9b36e6f259a2c2d70f819f2742c2a3575adc53cbaf48795d5c8774eaaa92006c606d24e1f8a0bd452 |
C:\Users\Admin\AppData\Local\Temp\magMQsMQ.bat
| MD5 | 0bfbff14b78570cca94010814b1b0791 |
| SHA1 | bcd7720c60d98f1c169fde2bae6512d8c9a2f065 |
| SHA256 | a5dde3f122b5e1995e2772cd20b9450db34be731b0ae95933572748efd3419ec |
| SHA512 | 01ba76767c5b0d764a8ad1479fc39c3ad9d7b99af54eae09ce87226b1967c84603f7916c6db19e69790fe14d5347091463c0129679fbbd7e39cd1c0aac54d3bb |
C:\Users\Admin\AppData\Local\Temp\OYQu.exe
| MD5 | f81fb1d893a7f31b45f8b1240678fae4 |
| SHA1 | 657436d90c7997e4cc33d32da66e408b9ce5cb1e |
| SHA256 | b6837dd233a3490bd6902053a7f1ff47cc611bac5767960273c94e9ffb821d08 |
| SHA512 | 54426b52af89f1effe053a1bc574aed9a4374c88314a2d1fcd3a419981ac55e746fef3a82e95dcf097e31ced4ca6d25d9f8434a6220389d9c3c6e8e790fa68f0 |
memory/892-869-0x0000000000120000-0x000000000014A000-memory.dmp
memory/892-870-0x0000000000120000-0x000000000014A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WcIe.exe
| MD5 | efd602e1a457974f2586f261e7e377b3 |
| SHA1 | 4324d878f3a112c097b68e70579942ef70896abf |
| SHA256 | a5bbe6034bee3c979d750e1fede8bb42ff185cfd6ea57ffa853c6d20108cdf67 |
| SHA512 | 6d718c4f77d50bea1ffe8b2e9347d25ed2e5bf3c95cda7fe53ff6d4e036ea0818bc2cf1363518e7175d8b9cec5207af76da308dbb7e6c9be03c886e2243c936c |
memory/1772-892-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EYwE.exe
| MD5 | 03b0253e0b3ede7ac2c4101b961e6650 |
| SHA1 | 94edc5e9fb2f709b302ccb0dda4249a9536a48d7 |
| SHA256 | 8383f990335d9cc63e8233ead13d4575a6b37d438654db9f68c8b34a92fc6502 |
| SHA512 | 7fdfd1a544a3c433c8ffc6616b2fa5605b24bd613d868f8da37d7e40ec7dc1113ff7c25250ebd7ebca8013c71e1f874c5e45321da8e15aca33ef7cf924f819aa |
C:\Users\Admin\AppData\Local\Temp\cYIu.exe
| MD5 | fb7acba9bdcd5a028f3e5bb8e8117b92 |
| SHA1 | fe42947159543a44045bf984b5707ef78e0f4adc |
| SHA256 | e21de16f43988644701f33b30e83c607ddb3ae16e4b6477ab4e5909d942cb4fb |
| SHA512 | 12cf8c78855312fb5e12ec763ef0bcb74d7cb785ce1ed96d3aa74763090625a51d8bba970dc319a7501f196e3b9c52b31637213f646142a6ab7bcd085305a746 |
C:\Users\Admin\AppData\Local\Temp\gYUu.exe
| MD5 | 12f31238f826bc192abd3e0dfa017daf |
| SHA1 | 6baa1df202d312116aef74a9f6e04301f0e04d1a |
| SHA256 | 94b776486fd5d210b06ef2757d026a09e4957c1ccb663e429d5d7bac0509587d |
| SHA512 | 5658bd57992049f3124c1e7b8628cb119008c37e90bb6a71306b7bb2d724a50b946ca252c6a8e5f9d3f4c9c06e1ebf3612f3d0732ed6689b23dfc200053831da |
C:\Users\Admin\AppData\Local\Temp\QMIS.exe
| MD5 | f99da19eac64d02c44516663b298a052 |
| SHA1 | 166d126035d2aebf4b562ebb61804cbf7ac243f6 |
| SHA256 | 3c2c27b08eb2447d0f0a570d5cc1fb07f86b1235bd6e595ee59d6a0d836e83a1 |
| SHA512 | 39e6e528fd3fdd45329ce059de782d87e20538f009def66345423020cbda44423f22178a3efeec6fb9c21c012e27629adef6df9e58c154bf1b91faa1449f4084 |
C:\Users\Admin\AppData\Local\Temp\eCwcMcUQ.bat
| MD5 | 07c741eab00b3116a92d34c789f8dd90 |
| SHA1 | 9f3cf3848d4854bd3d31f72b1f74ae850fdda780 |
| SHA256 | b835a73dfb4c0be6f2c71782f88d42bf4af64d1c1ed78baeba8a6c4c73ffd09d |
| SHA512 | 3952fff49e1a08b7babf80947947f3f72df15d8b732ac09445d551342e616f974b320d99ac33faf1f7ea0757ab4277324c49400e2fe5c23c19231f7820485605 |
C:\Users\Admin\AppData\Local\Temp\AwwE.exe
| MD5 | a95a1e431d793b94db23e70acfa1049a |
| SHA1 | 2bed980c4371d395aed5317f08af2b633d27f6f4 |
| SHA256 | 4459b1cea7709a81e94781843283263aaed1ed143e88a2ad893c0397ca021411 |
| SHA512 | 99bdb09c08f46c060fc0ecc13e6cb06485cb0a7275c23002f9a9e91c8fba30630648cf973fec3f256c69fcb67894d2b933b4057fac05f268214af1a29cf08887 |
memory/904-968-0x00000000004E0000-0x000000000050A000-memory.dmp
memory/904-967-0x00000000004E0000-0x000000000050A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wcQg.exe
| MD5 | bc756c152884056c713d6ea488e23322 |
| SHA1 | 90ba340c7d8d4eba42ddd5ca8b62a96ed1050e41 |
| SHA256 | a544cfc33b71467c6c1ca322fe547134b5e10932150a981fb74d54f8d2cdcf48 |
| SHA512 | e3db2abec68c79c9c07122bcb551ca25fcbe5edc194c750f3aba720033f090743ab49a305382149ac121cbf6fd4a5207592d0b1f835c02b9fa59a6182d8820de |
memory/2176-990-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iEck.exe
| MD5 | eee99482d880d11b804ebb3f62760f4c |
| SHA1 | c512ce2e839de51b924e9f0be6b0220ea4427623 |
| SHA256 | 56d4a101157a621a8c14c24492f1b7bb06bb1b70544eeaaf847695ac25255762 |
| SHA512 | 5f8ab7f3a15742b55a58269b6e5d13a35b50b1a346e8fb1852ab3f7a350612964959c1f0ff66ded681903ff44b9861b889c98616cd816a78d76d188b44909559 |
C:\Users\Admin\AppData\Local\Temp\AkUA.exe
| MD5 | 45bf38b1ef4ff1a9aa74bc30c1b37fe5 |
| SHA1 | 48fcf5d3cdda64f37cb73b58b7f6a35fdfefec0e |
| SHA256 | 760905d6083dedbf9b638d1946f1aa15f606497e9eaea0f08600d90c2573cf76 |
| SHA512 | 5742c50945b146fba61b781c99fe4a75e889b2255d51e89ee7fbda4a8e1de1057891ae355e08ac52244cbe3536998134a7006fc65e316b5e6c2975ad6839d8be |
C:\Users\Admin\AppData\Local\Temp\KkMw.exe
| MD5 | 7450801fd5a3b2f53ee13ee2332c181e |
| SHA1 | 422bc86a51ab7cb7b51c7a935853364099ae4072 |
| SHA256 | b9bbe3926934ce6b9f2408d53c1ee04452a68e589a0c88c7bcca5c681e8b9307 |
| SHA512 | 870f848b1ebd44a84ae65f9f87c288b97342765a925bd8273fa029c3c479e8e2c0877c675a560427be7cadeff3f81f7a9fc9daafb83a74e842698fd1a893e217 |
C:\Users\Admin\AppData\Local\Temp\AMkM.exe
| MD5 | 8bbcafe9a2cf9f64ef5a70ca7c2bc055 |
| SHA1 | f57a46a796ba8c346a5892d8c78806813ab5f70b |
| SHA256 | 09b4f0441a86b0469c3641bfc7c13ee52144b5e3d0aca5b911ec139ab518f841 |
| SHA512 | b341ae44f31511c536a29b9137634b8695165effdae2e2c4c8561927f6ff27e2fe65ec550f0b5880cbc2cbc33d734dbef2f5355dc757b969474eec716f0999f5 |
C:\Users\Admin\AppData\Local\Temp\vQAAosko.bat
| MD5 | 45b538e820317059b01e538199672ff1 |
| SHA1 | 226ad7b5abd091ae4a8644e4a6ecd1391dc7faad |
| SHA256 | 63392ccbe5aa925088ca833c2ce397f959273f93b8b76045f002888afff03ac1 |
| SHA512 | 422a406e77db3e48ec7e4e0cdb32421f52b1d11937a10f48bc87ef027ee5a21c9c4e304aba0729227848f8e7d9cf12d9d0650d4a5bc5798f9be33659f6d92a52 |
C:\Users\Admin\AppData\Local\Temp\IQcw.exe
| MD5 | 2c591e30ce227e42561bec0c1cfdf0b1 |
| SHA1 | a00755e858cc3a78afa6f61b9849275a1fb0c811 |
| SHA256 | b96c488582aa3a6c0425669987d264e20b232d1313e6c4c0d61bf533c45df8ab |
| SHA512 | 33cca1abcf7939943754dfc4d4cfd2bb58c726098e92858c8f4245a011d0fc0b24b19be71a4e0fe8a4ed171a674a7a12f75133aa71cf3dda1d431228c20879d1 |
memory/1840-1065-0x0000000000160000-0x000000000018A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KQoS.exe
| MD5 | 21f7b01f85ae8b37dfd81568c7aef39e |
| SHA1 | 4bf7a82c90079176f3463a537aa8b179671ba57c |
| SHA256 | cf8ec529c6040918981648f51dcabae6d7cafbd3147f6245d902880041c9f2a1 |
| SHA512 | cc04583764cdbda96d4bd365e5fc4c07fadc4939e6890b1153182eb8a4058129e8eb0f124bcdf4d109023f36d64050a34a6082ff3f95f422aebe6f3f7c67f161 |
memory/304-1087-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SgYS.exe
| MD5 | 7810bd2d31f9bb3f9a49daaa9cccb3fa |
| SHA1 | 42c2cb3bd4b286808d0a0d6e1f3bfda144ac7c4d |
| SHA256 | 01b805ca8a7324fd673a76dd38cb7ae57b2ae14388525650ce2dbe61d7938580 |
| SHA512 | 73af50d0aaa832af0575e6bb9788039eb63b43365d546c565399826aaeddcfc359c78b43767ee2d03193d14a986045bf2aa02df8c8a2fffc5f3e5d5c20772135 |
C:\Users\Admin\AppData\Local\Temp\GUMO.exe
| MD5 | 80d90bcf42877d1023da7d2a81a79524 |
| SHA1 | 23f0d127987654fd99226bba6d19c3cf44d7dfdc |
| SHA256 | c2a6033f557f5d0074be6a6bcb23832994af170f517f16024ea6a8844c90ec6f |
| SHA512 | 66838ecf63c7a090b8865e75dccb8c67fa65226b74daf63ec63c06fbbd7b48735c61006138fe8cadef076b3304d843cb0cc078a1f154b459c76b63d83247ea13 |
C:\Users\Admin\AppData\Local\Temp\WccE.exe
| MD5 | 0c56fa50020567d62bcfa3b709db20ca |
| SHA1 | e7e26f85b0d17224e924a275476bbe95b724613f |
| SHA256 | 387b8096041978babdfc9c33324bc9553503657b9580e921fdb5a770312ff0bb |
| SHA512 | c637f2178b4962b9c893cdddc9c29b57fc167f1b8c2a1aebe722f72095f6fd5719d880cbe0f2dc82e7086fcc376d8e838fa594c49a914a29188d5bb1939c872f |
C:\Users\Admin\AppData\Local\Temp\EAMy.exe
| MD5 | 2b45e1b2524cee5ed321727b5505bff6 |
| SHA1 | bb813644069dc4990971bf6925849b1a7079e8ba |
| SHA256 | 41ebc3a316b673f842db5bee8616ec9cffd5d387519a25163ae143abbc6ba7a1 |
| SHA512 | 4adf5ad06cd133246cc9a6de3b9f6e263569162c8015551275f6a264db602aa488d937260b90e676c76100722d4269292bf3a111ea7a7c830b7dd4cda066846a |
C:\Users\Admin\AppData\Local\Temp\lCsQYMYM.bat
| MD5 | c6b69dd517ea7e680c07fa988909f483 |
| SHA1 | 53df01a1c35e07493de4aa6c13a5b15e0fc6292b |
| SHA256 | a3c4d722db2d5570f69e283ece7c559ad348024f528f8d315f85f77f0a5cb5ae |
| SHA512 | 47a3c1f6dee50471202d1dbacc0e5ac2d8584272e4b6cae15da0f9fc118e1fed417cbe36735d50b56fe5f86c2fa8ef8354c9e5106845740a1966c0dc0e2c505a |
memory/2252-1150-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2960-1152-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2252-1149-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3068-1173-0x0000000000400000-0x000000000042A000-memory.dmp
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
| MD5 | e4b04b143d43277f256fc03d9b287e98 |
| SHA1 | 253cc135fac0519b51c7b2f20ab36af09115eee9 |
| SHA256 | ee1830997dc117689df7d4e601122f08bb7ab2744155c943e43a5f8331f3b9f0 |
| SHA512 | 969d894516773a243463341af533e3d277e4256937b1e16252fa1c88a67756e401d676a7628f862c1dc2f5f46a744356d71e06419194a5909e8306b201375f32 |
C:\Users\Admin\AppData\Local\Temp\gsca.exe
| MD5 | b632e33122435f1f6e02b24b5a697aaf |
| SHA1 | bee8573b5183df29ce84d461dc5f8f28b033c8eb |
| SHA256 | ab54b81a7f1c34a80529be3847e8b3abe826ac3d9a937cc0c901a4d9a041179d |
| SHA512 | 9987a50db9a76868930545fd4a91b0e853ed194c8e887fc8a35abab533a692773339289fc26b0c48b86633968e3496333e19c19261de93849dc26d9f01ab981f |
C:\Users\Admin\AppData\Local\Temp\scsm.exe
| MD5 | d1dd941173d0de54970ef3b91d769f50 |
| SHA1 | 35c3d12b67b85e321c671e1ac3fb4cf11f3c4a85 |
| SHA256 | a83d5616b519fc1bbea8ea2fa66e21a83a03b7b347fd7b61ca3975df5b08b60c |
| SHA512 | 7d7fe3a40dea2a9bace8b9c865086e91a4bdaf98053b9b6799df89e0ba171654fd81369e1ed7b9fb87f89c7798b22526436f344e900823ae432c384552f8f2fb |
C:\Users\Admin\AppData\Local\Temp\mgIW.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | 4c1ca1cfffb986578350e429d4abeae8 |
| SHA1 | 669be04de958854376cf479316f0dc2aaa04fdbc |
| SHA256 | eaf6ba0aec3c1bd7d7a92638e330575bd20a7be540a13a290ddda7b60a5cd5bb |
| SHA512 | 037ba8ac02f01e0c128546b2d676bf72c95f96530679c2390c2fa81b18a903e1a0fdcb50d17110c45e645487a6264a66dc3c05f8d9fbf155cd8031467aff0484 |
C:\Users\Admin\AppData\Local\Temp\taAIEcQc.bat
| MD5 | dcfa9431bc70d71866bea88bff2afeaa |
| SHA1 | d154b05c65efeb6da3c8db84db18e4b691d74925 |
| SHA256 | 57e716e9166e15cce342579f43ebe917b3fb2d2e17f30f7b01a189851a8c3e64 |
| SHA512 | 5e23f05c03f874e4cf21dc030f8db2ee85e1125a1044c6a0b50f33c9be544dc71a4737ae9cc3d228fc63b3355e607205c5dc61122cd5e4511037ba180ab30f90 |
C:\Users\Admin\AppData\Local\Temp\YYUy.exe
| MD5 | 034c99fc2d4ac0b5d99047af3e7d636f |
| SHA1 | ce5f23be2019b33ab1ac7254ef61ddbf8defac9b |
| SHA256 | 1467b6b320548e41da6ea248e6dba95886ba61732c1ecf2feee2a809e58c14c1 |
| SHA512 | 429421ce07f4d02bb6a3a13d1a95ccc4e0b6343e62f0c7dd9ebf74e1526c353c284b59bdb421ab561a7ce95a14fe3ac926ede2337f150375585ee93a3f64f977 |
memory/1332-1263-0x0000000000400000-0x000000000042A000-memory.dmp
memory/552-1262-0x0000000000160000-0x000000000018A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CYIs.exe
| MD5 | 81377e305118c6df7d8170fe82e34dfb |
| SHA1 | 72555c9c384c3d05c8404e75b1378d8747449b81 |
| SHA256 | 6141a9802013b0dfaa861c18e5ef5880560bf22a80bc97ce359d90f3d7bb9b20 |
| SHA512 | b1061490319472e50e3f560eedf9f9b7c1ea2f022b2adaa123b96387604dc0768c806debea231abfaf1c2ac107ff19a775465bccfac2181e14e71dcad1ff191c |
memory/552-1261-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2960-1271-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WAkG.exe
| MD5 | ea67f394563efcc15e647db69aec89b1 |
| SHA1 | d1f9a2a870f07de0b139344e3e946eb3796e1239 |
| SHA256 | 26645e84c72088a59f272fa87a5c0c31f760843a7a15b041c964ed94a78973bb |
| SHA512 | d15e8b76ed8a5844605c557555696b2fd3b29a6b71827a3c14b482137d47808940b1729aeb9c54a303bbd5d79c87dc3452f02ed9ffb4b5f9e22aaa5c50eafe83 |
C:\Users\Admin\AppData\Local\Temp\OIIq.exe
| MD5 | 74762927a52deef1f8afac6e09814e2c |
| SHA1 | 6bdeb1550b58fcd84a6e385c267c56c60524b5ee |
| SHA256 | 492a13fb5e3c4663733da84746a05de7bf199918186553adde8cfb5050c8808f |
| SHA512 | 8e8378a81695dff04f79e84d5d8a3383ea96bfc32ee5807b2701256fcd221a143da59568913824a62da99ed157ab32e2663c28a6ad217dc9a13be1e6f836b1f0 |
C:\Users\Admin\AppData\Local\Temp\sAUk.exe
| MD5 | b3c21d83bb987bb9cf5f550dc9af44b4 |
| SHA1 | 620731e77ac12d205d5f6a21e410c281136cdcf8 |
| SHA256 | 268eb448427aac798cf60dc162fedd45730d35a30d4ca223558a5e37a48e624c |
| SHA512 | 6cd42c042420ce21af7b1f9a11830e7a4d255c2de3e1c4cdc63171d8ac7d1f823cdce73cf1ceae662d0f93847b67550f533491217f7b493d5c0579ea4d6a706a |
C:\Users\Admin\AppData\Local\Temp\DEAYwEQQ.bat
| MD5 | 48c8c64209d09dbdd738c9f1a53e8348 |
| SHA1 | e04ccffa1f45cddb6e4ca6e5199f4794d6dfd7bb |
| SHA256 | 9cafef996d234fab0d90b8c7e9a9c70e9a5b843d1c0de7c95c601831df011ddd |
| SHA512 | a1807ff420c9791217eadb4043e1caf245d2e7bd012c1b344683ff2aa6a89d9f35989067d52d22a778664b24af4c2e509bb78ce653701340b639525ac17c49bf |
C:\Users\Admin\AppData\Local\Temp\iMIE.exe
| MD5 | a0d471048d9332d1b53ad4fd33f682cf |
| SHA1 | ebdcc99b95bdd79ea7789b53369849af0d4c7227 |
| SHA256 | 8ffc29ec10d02a517bc30899c2ee13d9ee161e3cfd177a2b54e19b13a8730d79 |
| SHA512 | a5020e800015c0d7372205cce4c56b19d5ab71c88bd7ad076871a860eae4f246cf4dbf40658973e416a281103b444621f65c2e130e3d73d768255af16c57e4a3 |
memory/2272-1334-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1912-1333-0x0000000000830000-0x000000000085A000-memory.dmp
memory/1332-1343-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eQkA.exe
| MD5 | a543eea384dd2af893bee4b0e30d01f9 |
| SHA1 | db371069e8ad4a64d4cd9ab9f9b7a65393969333 |
| SHA256 | b3b1352984644b5f89b4dd44811c6bd5c24eb1d582c7869571867ca30c3b3d45 |
| SHA512 | 5bc116a947b9455a42a9da3018092482e8e77a10a951efb81b8d7ac420809e386a883a1d9aaa1e782fdb9d61fcf96270ce16eb50ec348e24b4525d65cea91da8 |
C:\Users\Admin\AppData\Local\Temp\kcMs.exe
| MD5 | 3066ccedc56008c66dbff822f808cf60 |
| SHA1 | 6469b5733f086a3f57a5866450df261a751da356 |
| SHA256 | 59af814fe5d7d57df550cf33feed72e24019d679d8f3304ed574dcca091e65ab |
| SHA512 | 92bc2354630f4c278c0a2510a05bd843f74d01b75fe6b4b74498cb30c8dcba60ab21bf55398f4ea169fa56ef91fd578225af9140232979245f2928241c7f39f8 |
C:\Users\Admin\AppData\Local\Temp\WgcS.exe
| MD5 | d7fffb55f88879f6e26d181b555a25a6 |
| SHA1 | 069a3df354e4b2b6f759d5c225d624c82e523a82 |
| SHA256 | 09efe75bec16599d485ea3f4dcde38b3643d2ddeacd634d11f3ba7e82bd37b02 |
| SHA512 | 61a714c3736834e71cf89bdd82d2ba9aa13d5a2ebee77ee7bf3924f01626c6839af448efc1c0d0de5973eaca742aff93570af9821e95d6eb1e651ccc313d58e6 |
C:\Users\Admin\AppData\Local\Temp\kIMs.exe
| MD5 | 632c3be20b18048d6461ff5a94cdec21 |
| SHA1 | 55426b98e4cc01e54d6ac59172ea9833668ad525 |
| SHA256 | 58f95d60bb1a3400133250a3749106c5e70e291b6c059baaafddfea3c917bd4e |
| SHA512 | 1e7add7a5d8085f330684b54aba37550b32f07cbc4811be50cca2c00709a63660f8780786120f46ce1ce2dcaeef68b2d9cfd88db6ac01b18f1ddb69a2360a351 |
C:\Users\Admin\AppData\Local\Temp\BIYwAEYA.bat
| MD5 | df4a9f940a4a61cfa6b03938bc27e2f5 |
| SHA1 | be5300546facc544e26821594314831f4b175879 |
| SHA256 | 28673da048593d21e1b265b10da6d2b9b42f0ee7da2f4b712fbf249b34adb37d |
| SHA512 | eeeea6661c3adf968e05bca405cd517ab2452f37270e3519b6c55cbee1895246881348fc55fec46421944815b7157f27da655e726e8df849f2774d16311ccd2b |
memory/2484-1407-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2972-1406-0x00000000002E0000-0x000000000030A000-memory.dmp
memory/2380-1405-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2272-1421-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eUQU.exe
| MD5 | e0001a3f475c48dd80ca393ab0b855cb |
| SHA1 | be6d01d8613bf71c7b522efbe7dba2908b8b3c90 |
| SHA256 | e06fb02b3858a4331a3f60cfe4c7400a4e1d64a21a5d490ac76cd0ba3b881ea7 |
| SHA512 | 0fa85c13b394182b6d115e12d898f1b8d7d27b0527d6e6aaf3b243a3031a35a966e82cf52aeb5fe7963b85887bbf2dd0a1271c4b8f40166088545a7aa0dbc6bc |
C:\Users\Admin\AppData\Local\Temp\CUsw.exe
| MD5 | 7c95eaaefed42a1065c0bf8c0db48a4c |
| SHA1 | caaae1b7a6a54216499be02150ea3ca372caff91 |
| SHA256 | dba0fcfc9e00b6b14718b9272ea2ef9adb08ff3e83542117b3900abda6be6e76 |
| SHA512 | b50af274f56a2d121c667e39316cebe95a2e0408d43890ceb94eb4b690c483f6e204ca4f9ca7d5313a45e6c66019d770f2d707759466d87ecf33eb1fc446a4f1 |
C:\Users\Admin\AppData\Local\Temp\QoAM.exe
| MD5 | e8c39473c567ef2916553fcc20e71f32 |
| SHA1 | 53127f28a0502362c5b86f81e27b32145bf9f75a |
| SHA256 | 06d2946ddf7d96e3ccee5751ce52c39f4ed5e157c264bd1875dcc5c1c64e8acb |
| SHA512 | e43066ab390634a4c1fa2ce5c8ce0f0581add85526197a6dd1d2975d6d01a9704ce62f81e91f0fc4185d09247419c74a406503ac65f40135f7597dc40c032591 |
C:\Users\Admin\AppData\Local\Temp\CIYo.exe
| MD5 | f2b7d2d45c03788f6c714c3c657dd5d4 |
| SHA1 | 0d7b4a74fd2d4139943ec49a3a5df341e6e0e6bb |
| SHA256 | 29f22df4ae05f2d0002c4d1a0cb73d4dc65556873fff1a44c2207a1ca6504c74 |
| SHA512 | 6fac2500af81a0c0ce99f0f617361c161fe006104ddb469db3fa42d4092671ef9a4a1181b8b09d14248d2c296f49b09047d0aea47c20993d71b8f87dff70f5a5 |
C:\Users\Admin\AppData\Local\Temp\EQYq.exe
| MD5 | 5fe0e685712c52f1c4f0dbacec4d16f1 |
| SHA1 | ab69e4cbe0dfd55db8855133e331d3c94cf06620 |
| SHA256 | 73f3321726cf726cbde4bf4efa9126bf8e1ada3573e3e755673bab6af6b2f272 |
| SHA512 | 0cfde15e49c0815216f6d02e49fa0864ff20ef20fd0610eba6f9bc8f3e34b375b3c958f08c9dbe4a6d661a3bbe89ebb8c851319c5849d1f062f2a5b4c7af1eda |
memory/920-1491-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ooAQckYA.bat
| MD5 | a17d5a8a05206f380972a1f807d5e62e |
| SHA1 | 9fde53dcc1523671d6ab26499410cbbed05ae66a |
| SHA256 | 859130cb85e74a72b6b683672d85f4bb3407d4d57e71cda149b94048338cb926 |
| SHA512 | 309cf3b7449a8da756eba4c5155cd3d339683163bb344acf40ce4bcb52386fd8cc26a4f1189b30b8c4fb695ac9b12c061c184c72c06bb6768ec5507b00a612f6 |
C:\Users\Admin\AppData\Local\Temp\QEkw.exe
| MD5 | 55efffbb70e5ef9edc1382131f59335e |
| SHA1 | 2169df15b3f6a672929418ef3f6249f7c65c1499 |
| SHA256 | 15c60d2aec80c938e1027395d36f0a23ea4d798e054658d8211db2523d252854 |
| SHA512 | fe5e29888763d80b9adec308a09a1996c1f067b9a7a88c257555ebcc2486ce4468ebe74a9e172004f24f0aeb9654a29f875dae7418546a6f63211d89c8287c3b |
memory/3000-1514-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wAcM.exe
| MD5 | ec8e18aacc62c3b379bfa5e87b60544e |
| SHA1 | aa258488a816e7e21c74c54f85d72f858503a402 |
| SHA256 | 0caafb4b1aa93d8f2565e67eeeda7d563d2bf86970da7e2a1cd43d3ab9938ef5 |
| SHA512 | 77235f9add10beea13052baf66f102e1a5e2cb02bf5f60f6055298eaed30a2239c34b69979b7c7a501edddaf5b09566680a4f59649121434307723ad8c212f34 |
C:\Users\Admin\AppData\Local\Temp\SAAA.exe
| MD5 | 7a906be55868c9ec60573977486bb1c8 |
| SHA1 | 3d54ae137ed7b6b8a8c05d91bb6e9cef9dacbc06 |
| SHA256 | f96c74236da7c499ad91294534acd5c0a1ee603085e64d8bec598165ccedf777 |
| SHA512 | 226d781684d5ad52278058e47fe2665659b72dcf83f913b37cb32580087355a7cbb0e79611e8d741300979985fc0633d86d42afd23c040cc2e115d8149060e4a |
C:\Users\Admin\AppData\Local\Temp\QeoQkEMg.bat
| MD5 | cc609df87c0c5b510afbd79827fdbfef |
| SHA1 | 001329c5e9456c30935727b6b083af6afdbe6890 |
| SHA256 | 092a2a10616d71c471a91aa81e00659ee1f732afd162967fd5ff087e4d94f999 |
| SHA512 | 9a130437bc7d526fb343d13242c1560dd63924b4bf50b5d3f092c419666e4880a536658f7e6ecd284a52c8ddf8b294fb5d4c3cfa24ef7bf3592ec6b74c967b6a |
C:\Users\Admin\AppData\Local\Temp\WksY.exe
| MD5 | 52d9c5f77a458a8fbd7c0b306cfabed7 |
| SHA1 | c5e546a6b94e662d46e83eb8905609be02936d12 |
| SHA256 | f32da222156dca0b53937d8b5922c3ac6d7674cd15411abb121741f044076abd |
| SHA512 | 81b243126889216c8450800beb094464a1b6f554c36e20a095c81121e148e786a1c896b5719c60fb6918941afcf22cd470b1e26404dde745ed1d9db03401262b |
memory/2664-1571-0x0000000000260000-0x000000000028A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aYYo.exe
| MD5 | 1c55f4de7945ec33fe4571b3fec9f146 |
| SHA1 | 4f8abfb5c72f10da08d06b3b5a77f54914a28076 |
| SHA256 | 135066be9dceffeeef0e22388a1b420d03b89f385dbc221acc0055b62cd47de2 |
| SHA512 | c0aaa1358f5b1620d741aaa1a337985de73b3afa89c35addb38b2053bf0eff600b3e0dabe4479f4ac3bea7cdfb790ef0cb7d1cefae15f40362bc7cb829afbb12 |
C:\Users\Admin\AppData\Local\Temp\IYgA.exe
| MD5 | db50cadc0832e0924b4606f82cbad464 |
| SHA1 | 06a2ca53d3f3d09bb4b39f3708568d28b5498a8d |
| SHA256 | 0d48f9ec55eda0387db7c275784aba2def34d43beb93099acc2938cc464dbd2c |
| SHA512 | 44dd300299971696e8d5bb8c98abb066fe82545d47bc7a7e931043b59a783210ab00a47e240a8e01c38840ce841289d70a25c537d00d9efbbc30892587898750 |
C:\Users\Admin\AppData\Local\Temp\icsg.exe
| MD5 | 3148e7c46462a32b892ac7e5c341d10e |
| SHA1 | 0c08697ab6540f5949c9b0b8f211a6b4e3bb9c65 |
| SHA256 | b1bf2c41af53d1ff97bf91369ff396fa3c712888c7219bb2409fd6c29f7dc5c9 |
| SHA512 | 705458acfa5cbab55f984c9b1092fa0b92da8b4858c566e4e219abcc93625e6c0b97f6d791e0d760e2088e41c1c0e895bceedfdba1c141bf8fe28c15f1690e05 |
C:\Users\Admin\AppData\Local\Temp\sksIAkUQ.bat
| MD5 | a56ac5bb5ce0cf6ebf18bbb6d36856a7 |
| SHA1 | cf06372775950035ed86d5c4d35687dd72e52a42 |
| SHA256 | 78fda4ba659099e3822b449979698786035d23b2dbacec46fe70b73978d19f91 |
| SHA512 | 3fd2412d5c178035cde6c57da838c5e2dbd237de421b382ecf64fea97b1621522482d57688f59ea91d52b4ca9de97d2cb9ed567ae7efc025f62d81adeb1f6b79 |
C:\Users\Admin\AppData\Local\Temp\eYoy.exe
| MD5 | 52a21e26a1203f5215f24b4921cb2d59 |
| SHA1 | 35f78b508cffb09f8506741b22de0eb3ade4a294 |
| SHA256 | 42aeda37409dad14bff361da33f06e9bfcbb0a52732933300d63e55b890851c4 |
| SHA512 | bbc5f5b446d754d084adb427cc6bfd832a1c1220f6844b92f640ac6ab3603aaa6f3d8418633741210db826dcb844696d2afa5dec53aa1af3c11be730d8b3ff8d |
C:\Users\Admin\AppData\Local\Temp\wsYG.exe
| MD5 | e4182459496630dbfa158880f8881c5d |
| SHA1 | 8b9e9211ccc1e032675ebdfa8d4abf10b9cecdc3 |
| SHA256 | 02c5820f80d36e7e1d139e0680d60be21d8b3b308952330ea4e27d68194b1469 |
| SHA512 | 2d867c60080a394bf110e7e8157206c8a8e749c8684a3988bebbd615eb2a9085897bb468a4374914995c3f21af262c9265a9bef7b870dd129db29ab48ead0e72 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe
| MD5 | db3b60ccffb5b4f3839f9e6170b7b870 |
| SHA1 | 537e112eb17c90ed59c2c91e4a02e8fd403bba96 |
| SHA256 | 8e77030aea27159ae3b672603a00b2487e2d06d7dbd9bbcaa4b4809318a34af1 |
| SHA512 | cddc279d8fc2fbaa63e6f669dc2de78a0f903ac8c790fa1567b0e0e10215706a50292bdd679bcfd1ae3eed90fe3c5333774d35ef2cd863d6dabb8717625c2a75 |
C:\Users\Admin\AppData\Local\Temp\cskc.exe
| MD5 | 92f787b3186d4d4df83ba283a4d9dc38 |
| SHA1 | 4260dca693250c4ed40b404a0902b938fe09f152 |
| SHA256 | 1a4285dc74b0c0a41438a8506c0f80cc3157c372ba3f15ffcd71ab4ad12b547a |
| SHA512 | 26b1635883b9b2972c1b1f911f799e6d12f26b6e45df1849fbbfad3341ad858ef533b2e548116e1ebe14f69c30d4f405f72c38b6d67345f60a79065a68d325ec |
C:\Users\Admin\AppData\Local\Temp\AQIcwcYc.bat
| MD5 | 37d23bce53d7c401ad9b359062319ead |
| SHA1 | 76b7abc270a4b04ea83e8bf7f01fcbac82dbabfb |
| SHA256 | d2a1311504b61451d0e7b4b0847210a96da96216345a93de828b4d0adf100c2a |
| SHA512 | 47cea0cc51451b40b3b2bdba403be7c0467a3f0b9d4bd0a517d9e9ca6c33926eedd77d9038f27d1fec8ea8ee046ccc2392dbe1f14857a84787ce3c431294690f |
C:\Users\Admin\AppData\Local\Temp\eUcQ.exe
| MD5 | 8feb9622ffccfcce8f91ebd8fc047584 |
| SHA1 | e78a3bd63f796b6b86921c3f34e966d46b19614a |
| SHA256 | 34ee9485194c6a5cd93e0f5e45ea6ab6c8a6a479e7ed668269245bf7b6606a90 |
| SHA512 | f6f0b2dfc99e92c17bb05deacd119aa366946a100f1f9e8ad24a900fa5107a40ddcc735268a077ba7f70e6e46460eefbff2ec3c7531610f501cb9d45f6f1e227 |
C:\Users\Admin\AppData\Local\Temp\WoAw.exe
| MD5 | 2af8d788375f8f3176458fb4a43eb645 |
| SHA1 | b98fc4b4011c2d3f16eb32fe4e45c9e1e7ad2d5e |
| SHA256 | 2a2da99fa9ef0fae5e5cd2d03146c834ab4637f338097cbb60451a29811fd9b6 |
| SHA512 | 96a8e104bb2f5066d35747a8bc49f0e07178cf9a0357d22398a350a3ee3bc6de94c2b39451391b56694e8e56320c90cbb19babc1ee1ea83d5dba4351b648c6c5 |
C:\Users\Admin\AppData\Local\Temp\MkEW.exe
| MD5 | 742a5ae0ee6de14dcddab9efe59fb427 |
| SHA1 | 8bcaaf6309a0e6efa9d694389e30d92ad1571358 |
| SHA256 | 0e6a0212ebecdc931125de66585a269b14983500007f21f611443696bc5990a0 |
| SHA512 | 545c0004545cc1c29d5e2d4eabf45d1323c514b39a34a28be2905442a98006cd395563919087df128115c20324285c8d9740106f46e114fbfb97c0874fa16afe |
C:\Users\Admin\AppData\Local\Temp\Lkwgosoo.bat
| MD5 | c281b2815273adf70a1c5d186a517430 |
| SHA1 | eecee15c2368e87b8d3e2be51ac1899b809f2f93 |
| SHA256 | 303f3ed16a289c02e30c96845eab8b76f319075ec3caaeae13341dadf06b1668 |
| SHA512 | 528b23c829bdfe92d4d70e8f679e80158a801b8e475760a8b3b20bef6ccc2134950a4433b6e6bf07a384c366ab258364188600804bf13b419e05c29e3e692f57 |
C:\Users\Admin\AppData\Local\Temp\eAgG.exe
| MD5 | faeaae81fcfcd99ba0421d3897b17f6c |
| SHA1 | b832ee889e0d3e30b98a3a0f11e5c041c5ca0661 |
| SHA256 | 890fbb138405c0684fb9cbfa3f81dd6da58d34be22f6e6acd902991031944943 |
| SHA512 | 69bb2c2e9a3d1eaec6d03880c2de400aaba791eca4a583dc9db4662a578793893ecd7fe5d788faecffa8b3710c9b0b7c18e95a0d3978de66624bf1746d4a14ad |
C:\Users\Admin\AppData\Local\Temp\SAse.exe
| MD5 | 51112d322369b59ab67a792f76d5bc71 |
| SHA1 | 2c81663e6e62254fd858b392cf5c8d0a435b5948 |
| SHA256 | 8e4f340ca1669708e1f0b18d2fa240e23ad0f7a23a509f90842145d17fe4ada5 |
| SHA512 | 11e67f55c047f697cf6ffcb9acf29bf7a46c156c6c0b5d7bcbd760d7c939424fc1187d94ce51ea20301105f8e60be7ed6d182034eeb570f6600b2682e791598d |
C:\Users\Admin\AppData\Local\Temp\wYcq.exe
| MD5 | 03d0c8333ebec1bbf0174b8fe09f6d0d |
| SHA1 | e9d793c00a4bc88b6ee2dd490cc75b9d9b931703 |
| SHA256 | 97cb218a01d4ad80bda7b22dd8a20cf0a40ef5f2867cf9c8f15037c5d0a10710 |
| SHA512 | ed8cf95311e0d88d86f4a86ebd4e8068c5a66ad0f0a7c1829980dac79d3f74d3aa1030012b3e0a77c2095de776e82e38780813f10b310a3bc68fb49b9b9a3753 |
C:\Users\Admin\AppData\Local\Temp\MMAG.exe
| MD5 | 3069d461f98824f7b3eabf192b6c86f6 |
| SHA1 | 407f66fef920d39ea034206f40d5d3e87fe98c50 |
| SHA256 | 4b3a61706049856d6c9d6ae0a700ea221afa9ba04672f5ad9fa916f33b9adb89 |
| SHA512 | e90e4fcfe1b9fada1a67ae0eae2ad83148e91b92e7519c6603753ed4c403d39c210bf67567ed9b2a44839eaad78921198f03ecffa934f9efe608bbe1c11f464c |
C:\Users\Admin\AppData\Local\Temp\cksK.exe
| MD5 | 65108cad7de64cb7ed26eeda293bbb52 |
| SHA1 | 582de569b5040e27338032226e53f92bcd4908cb |
| SHA256 | 12abf39f0bdf042595a76c4630610c0835ab563d0bdbc76211e4e74068c4a2e9 |
| SHA512 | a92bd9ffb1272a549aa9e7c44ce84629a9ea06ac74b52cd1415bf9069e58c80b2f853af756b1ab12111d37c83fb17b27df105a6852fc10ffc24a821f02511cc2 |
C:\Users\Admin\AppData\Local\Temp\xkkQQIIQ.bat
| MD5 | 381731ae2e074eefd56cb305e0dfd09c |
| SHA1 | 4ebc2d01ca01b68c9cc1799794f71c8220eeb615 |
| SHA256 | a36857206ae471ae261882e504a6f350723e5d64410e789a19d8fc60e2d1ac75 |
| SHA512 | 4c7a870b815d86d0ed280e22ca1742575c8675dabff88ba82e82f529edf265530ccbf3f9debe4b81e31fb96448de87f3dcab31f989b0d393875e687f9c06e89f |
C:\Users\Admin\AppData\Local\Temp\Osss.exe
| MD5 | 81d4206261baa3a387578e1c4c549edf |
| SHA1 | 95b46314e8f47eed1d223a7ae424e73faefe8846 |
| SHA256 | 3b93a4e941592432710cb12a3276c1e856fe7d703e9857439e3c5e54ed6263a8 |
| SHA512 | 6500c684ef1f80efd225531ee73059d2db75d9b222ca04f8c2b7e9b314a06cc6c6219dbb32bc0c891604180e05bd3c82b6f0c1d563718c8eab7dd6b073de9a5a |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe
| MD5 | a2af444eacbcd38a7766134bc397b5c4 |
| SHA1 | ac898c6b2525df3822f0cecf91ec856ec6473a87 |
| SHA256 | 400ba8772b2e029d2b09916933c4fd41a937b875eb9c8cc7f9a2fc326c2d514b |
| SHA512 | fb29d8c9f2ad43f04a6bd9733bba1da969bd011b2851d7e360053e21f6726acae67294f825c306b8cce56839b73d13d6a2322b87d5604210aa77f10bb942e0be |
C:\Users\Admin\AppData\Local\Temp\eYQI.exe
| MD5 | 9e13749086b80d563aed6b8ee68a66d6 |
| SHA1 | d7a286f918802041c40103872de21bfabde531e3 |
| SHA256 | 98e0237c3036d2c552158ecbae129ac9f76371e47790d166b3a0e10bd08ec204 |
| SHA512 | 4e46810481f22fb288792874492a8183ddc25a637d15f0d1fd87c728d94e49f44a808cfe49d3792fcb1c71d96f571d3f245c49cc05b7e0920ef411e4f77c8f5e |
C:\Users\Admin\AppData\Local\Temp\DSkkgssE.bat
| MD5 | 988a241ac8f9dfd49efe86a918f39029 |
| SHA1 | db010bcbda4ec48da9c5146a0ab1a3a002cbb940 |
| SHA256 | 396ea446109cfded26ed52a5dbc961ac829999088e0304d8c2af06bbe58f8ed8 |
| SHA512 | 1fba35f8e32df1a6464b55522cf16cdc112d37549ed057ea2dc85f7180009748e015eaa9722df6c4f39c6a9e9d6cb51369213325fae344e6dcf3c89022620f1f |
C:\Users\Admin\AppData\Local\Temp\Ecce.exe
| MD5 | 603f44f14c4c0b66c795713fa8e376dc |
| SHA1 | 5200951e11140237dd0469e142208966faa6ece5 |
| SHA256 | f62798aac328ecd9438d2c54a3fc91c35d114c5d0be64ebca3e2936712d7d009 |
| SHA512 | 774f3449ec3b72e32eb6c2c17c0f2a1dea8249000de825f4fb9ab382f0b5ee71009a751c1fb7f6ebbb39f36a224e1d3bf63935771dcd452d07f166100f0eb21e |
C:\Users\Admin\AppData\Local\Temp\KcEw.exe
| MD5 | f1dd41943df6647d2bf13082abca5d30 |
| SHA1 | fc465bd4dded5237388d3ecaeb8459b81714dd1f |
| SHA256 | 7e44e50b85ee33679be55fc22e501ee9d7814e4a37485bb1c083afc74ca2b0e3 |
| SHA512 | 4f64943b7f38c28977e34584f382306b14ad7f7a259ffd557dc421eb455ba1ca2f90231f25dcf49d1760bcfa57b1caed19e2126e0db438f175afaeee798e2eaf |
C:\Users\Admin\AppData\Local\Temp\aAsQ.exe
| MD5 | 0c7c4cc947aa312d08fc466a8585fc31 |
| SHA1 | 9400c91df99fd31066b4a2a1a8b77823b6d88b8e |
| SHA256 | b675c2cd41c28549a676c12001276ccc674285ad24ceb3219c4752bb56515467 |
| SHA512 | 0bb7136ff69eec566ebeb8747a5cb7abf8d9d9a59ed5f11a66151b20c2dab1332f39c5504729e001142f8204d42986940a9b59cf459b8e9114ecf79f67a5d63f |
C:\Users\Admin\AppData\Local\Temp\Sccw.exe
| MD5 | d94631694c3db6b7ab12de489b2d25e2 |
| SHA1 | bdc6c7af1bf988bcbc5336029266a12e08655b14 |
| SHA256 | 40af1658bb48445a2124ca57e24b3f759580c6e8383c29d1a837aa247e80ce59 |
| SHA512 | 008b1739f7411f58fd916f1c69a2a85d037989c6b4beb7e0e8bad0d7352ce7eaa12a96097998293011b012cf41f84b9586773213601564ad014f846b9fdf68eb |
C:\Users\Admin\AppData\Local\Temp\CccYIwcA.bat
| MD5 | d2204bbb791c763bb6f8e7d973ed9138 |
| SHA1 | 0dd08ce41d22e5132614f27aa426e88b50d784d4 |
| SHA256 | 54d3ebfa284b42642bbc5a35fffd90d737bf8cd9f290f2be5cb2577e7480dbc6 |
| SHA512 | 0d422a36421768ad03623a526571483c0e2a9212eb5600559a5bce6fafbb8732089a83fbb98bfdd1f1c9d6e21fdf237d84be1b3c74c2817a0b15af8169d4bf70 |
C:\Users\Admin\AppData\Local\Temp\MsMW.exe
| MD5 | 6f1ad1d7600d404ed4183285b85f11bc |
| SHA1 | 7657fa96f18343bb48dd1f9b4bbb7a454cd06d07 |
| SHA256 | 63bda88e50cbe0d82586d1f8ef756e445a0bb64c96fd91843b44fe973327625c |
| SHA512 | 033112158d7a52a70bd0d7fd6b518a68a1588443055f8b36b5a48a9d9fe00df865b3e6d4a979d871a02ff6f1e2deb25699dbdf85ac3006a4232f4b73954147a5 |
C:\Users\Admin\AppData\Local\Temp\wIgs.exe
| MD5 | 443838d4525ccd396608054979691399 |
| SHA1 | e6b7ab8a055fdcb13a48eaaa15d06bfe8af2db9d |
| SHA256 | 877d3244a15a0036f1b92f02ab1252031997dbb7fce97a3c72e136ae2ba95bcb |
| SHA512 | 44651de2d8b2c20443450a176545da0c00dc8d4e59f9ee7342cb7b122289bfda17dfa66cce295740667e919bf789c98d0c01c957db46b40f761bec0d5c96bbf5 |
C:\Users\Admin\AppData\Local\Temp\iUoC.exe
| MD5 | 82961bb5e02b0f3abc916c6b2140e808 |
| SHA1 | 4ac8632131fa7fe374a8f580910288bfa9d48f4e |
| SHA256 | b3568800b03086d7da0990baf8e0e7c249f73a4a3b069abc34c5eeee951d0a8c |
| SHA512 | ba6ae283642062a7aabd375adf982e8445b5c278902709a5ebb5784f31deade7ba777da705781ebb4d194a639e7bb37627bc7ca645e44004a168ab957c823b05 |
C:\Users\Admin\AppData\Local\Temp\GAsE.exe
| MD5 | 7f74344dc57e111f86b18d209639fa1d |
| SHA1 | eab7ee8d27bfc7116d57b1ba7bf92979d078e675 |
| SHA256 | c3771e53dff561e8a0992ab49bf1644631ff200fd63d8f57b093a0b7011bf3df |
| SHA512 | 823cda79c4dc5bff3f6178e8efbf3c38f693766962e6eae8e4b61a74110c8affdaa29f98f2f3aad1d2d50ff94d9836247af6972a08518726f7edd16db6c5b050 |
C:\Users\Admin\AppData\Local\Temp\uaIwkEYc.bat
| MD5 | 11532a7b238c704cbf8c2d69a2a4bf85 |
| SHA1 | 8e1a7e594337fcfaf846fa1b165f83653ec0b622 |
| SHA256 | 8bc7b2673239c2f5dd76b8f8c6a4e4da4cfe936e30a2a459d74aa8d947a257b3 |
| SHA512 | b1ce4090f69656b238bc2d08a5f56acc9329db78b381811253e76535eb8ca1aefc880955e04684204dd170176fae920c0bb4bc495054f08fc23612bcffb937bd |
C:\Users\Admin\AppData\Local\Temp\Cowi.exe
| MD5 | 3f8236df62635b7a535c4de4f397b58b |
| SHA1 | 6364a975ca2941a373d163df9f25330d9b2a4930 |
| SHA256 | ee3e5b032a0e33e819919d8e36e503b5eff163df12ca6b794c78735401dc7883 |
| SHA512 | 9c661ecbd4a3e0f3da18625bbe3337dfa2e169ed94d3ba925b06e9b519299009fbfd798fe4be64476c252feb09416580221eedee7128badfa747186d5332d9d0 |
C:\Users\Admin\AppData\Local\Temp\CssA.exe
| MD5 | 9dc9bc2332fdb91b45bd8ea6e38902aa |
| SHA1 | 6e9cf419f464cd1749c860cbc695d8b6648cfb0a |
| SHA256 | 407e27b749340ef8a1794eea4b21fa9b0e6aa5caf0868ddfdd9d4c77c807597c |
| SHA512 | 0b78c4540b4b04e148db2bace5bca000893762b8938e3cad46b45cfd0c77c665bca541f9aecb5273e861f428fa6761761fff6acb7dad92b978683a488ba91c4f |
C:\Users\Admin\AppData\Local\Temp\MggS.exe
| MD5 | 4ce54f8d2dd988ddae0fdc890c8fe5fe |
| SHA1 | c15ee542efcb0a79b02d2fa037a2ec1db5410a58 |
| SHA256 | 3c066bd5c3b8e5677ffc65f3aeb916c43436e1f5f024e0dc92ce151642bb4299 |
| SHA512 | fe642ae8a5aacff8add05751760e677a8cd4d83ac3ab58ebc1e9a17476661bc6cfd1a020f54e66f93baf0268fa1ad6819a91e87973979d65dc59364cd695e5a4 |
C:\Users\Admin\AppData\Local\Temp\qwoo.exe
| MD5 | dc0a5119ad57d8a9da1895e8ef1cd54d |
| SHA1 | 684827c2bca018efaba9dec9fc5b9b3064126c3a |
| SHA256 | a0f4b8f1df791f73fd963dedf5014fffd861e09c30ec82253b52853c7654a8ec |
| SHA512 | 143229bdb46affd74316058cdac34d6dda9d719e0439a07ff438b69d93d755e100963534ad4a190a88c00bc3592e7e1e5b5cb7628df4a2c0571e16d60bf18946 |
C:\Users\Admin\AppData\Local\Temp\SWYIEkEA.bat
| MD5 | 6dd5cbc563386b175787ee5db32fc944 |
| SHA1 | 03bf98735a55951e53b6b9b8ce2e29878470e19d |
| SHA256 | 9326e8de32b8f156105865e51daeeae8cb255b4be1dc635ce39a17dd77ebe890 |
| SHA512 | f31fd52a4dc2ac4dc7077a234b976314ff2e0d279eee498caac4c513f6b84b99169e30bc0e93a04e25299691b372e5a0997f1e96ebe53ed7c1c524e7b452470c |
C:\Users\Admin\AppData\Local\Temp\uYYI.exe
| MD5 | 42a26d43160a600b383a115ef89760fb |
| SHA1 | 8cde885c2a787e0c3300691d140ca4fe52066b0e |
| SHA256 | 79c2ee0d6921f34763d2dd72f3c05160dfe8f62841e010bb06d4ef5c2bdb9b0f |
| SHA512 | 1c2cd5f14effc9547322ab882b2c07a89a7667501a15292f47259209601ea34011429e35ba2f90b64b38870ed8825ea5a8f7b5e438d814347886bd88824bc784 |
C:\Users\Admin\AppData\Local\Temp\iUEc.exe
| MD5 | 23053f8a825436f7c762aee9acfd13c6 |
| SHA1 | ac340bb59ba97880e5d77fd61af8853129f38450 |
| SHA256 | e8487b1a76ad3ac6ac38aa77e5a9bc0faaf67f7d8b8642dec9e46ba2b8025ca9 |
| SHA512 | 0acb748c4c088014beee7e168655d67ac00abc90b31f73529c6c1e977277365a285182d809bdf87e65c912d0228f8c2b3b662e429ac4ab1181ae31469f74b00f |
C:\Users\Admin\AppData\Local\Temp\WiYsUsMo.bat
| MD5 | a4b3c272ba99ec2cd0f22af456917a0c |
| SHA1 | d68bda90ab741101fd793fc7fdcc03b2fae0e30a |
| SHA256 | 378d524478f5d6ad78dd4eb1c0fd82c37e1ba04e0f5832cda5c70c3c89b0056f |
| SHA512 | 1f878cd98e5694dce07a1c510662828d5aea70818a759e56066974708bd604c42e4b3a5c3561fe5074c2a1816feb89e0d3e0b71ee4bbef6a6c577b398101ac4c |
C:\Users\Admin\AppData\Local\Temp\mwAc.exe
| MD5 | f0d05d92ec530857bb9b436cbf7c7d12 |
| SHA1 | af665a694ca1150c0bfa1727f5a68863eca4148d |
| SHA256 | 0dc96b1dc7ea7fd1d3fe3f64131cdc9569b8444ad006e7f70d2e6252f91025ad |
| SHA512 | 623bef906da8a171fac0aaa4c436bec8bcd2932899f8602fb1cf1e96e26e64407fc659099bedf0a852ece912b5f0fde2d12233ea7674768bab23d817d6b299a5 |
C:\Users\Admin\AppData\Local\Temp\wUgE.exe
| MD5 | 99525684a8d320b5262d91af7340ec5b |
| SHA1 | 405c3a29b3cb224c61ca0b9e7c8fc403e456f163 |
| SHA256 | 9fbf9a198b268bc4adb85a92b675693b9a4a7d6a31707281a199c566c9d30b58 |
| SHA512 | 4f304f6cce597709deea7733fd400c4307d7630545a227c2ccd0028b28b3ccde9f8deff770db596a081d12da50094f1d4f7a929129d08a31a41ca44f33a7904d |
C:\Users\Admin\AppData\Local\Temp\GcMs.exe
| MD5 | 243edcb3d332deb8ecfb567c096dbc90 |
| SHA1 | 6e73a3434cfa2d7fedde95783a654df4359932eb |
| SHA256 | a3b435ae257722e201fbaae606fa482467000f2ce7b3aee8600f3a6fe7db1a04 |
| SHA512 | 7f35d614eb7af475bf9c0536b58fe3be4fff6b9acfea1ba2b6a7f428ea749c2f046729b5538a0e9a2f71379ba4c21ddf003e5539a4d660f418f681e2858c1e21 |
C:\Users\Admin\AppData\Local\Temp\aYEk.exe
| MD5 | ad006dcc86b887de0a2904e33fa5514c |
| SHA1 | 909140ee12d73c8f3cc5bfaee4ce0dc31e6aeb7f |
| SHA256 | 295e7481371f00d3cf23bafd768be18b4db15aa688bebd4b2db0b093c001a8c2 |
| SHA512 | e42726e171f2ed6b94d41450267998f8641698f0b8039126d9fb6d60bbc18f60d0e51fc4169adb9a54b2e78eca032628f695c07d28e5d38c0056582192fe3642 |
C:\Users\Admin\AppData\Local\Temp\tWsccUIA.bat
| MD5 | bd87f166c3131bcb39b4afabe5cb9512 |
| SHA1 | 71943d4992b090b0d5ed3468399ec7e832f22a24 |
| SHA256 | e91aad848780b4f01474a532bb8611a3af93c2576470eaf73089efb5896e7c29 |
| SHA512 | 821f2c3c0ccbac817b84946dd080290dfe78a4519f42f7a8b33068c794c2c48366533470a43183443b6e9e2d89da36ab57a6bdfa54ec82a7f54ae0d73e774a9f |
C:\Users\Admin\AppData\Local\Temp\MUwm.exe
| MD5 | 5dea51ac9ebc6ce18384769f914e36c2 |
| SHA1 | 724e3c5741ccb1c3faf0100309a69a8f923b558a |
| SHA256 | a76dd781e834bf2b7cbef39266e3bd79ada0ecfcdd9db5b397c9676f25615e39 |
| SHA512 | 8e63595e3265eb6cb40155e20c4d2ad8034a18c4e871be4eb4fab4877b7148dc948b4b6837445d4e17c0023d3ad4335728ce1a8f22781dfa32e7c0fd751d657e |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
| MD5 | 9917fc2c37ce9125a70f24ca6f0346c0 |
| SHA1 | 4f81ca2e64b9e0cde684f150902e580a964a6631 |
| SHA256 | 8c2a0944b9825fa2f76e3a22d47b8edb574d35b56ede973df764c57b4aee7db6 |
| SHA512 | 9530ec951fd056e9be64e0913b86f141f8f413cef6c50b742a49a4543355a6836c9aa736f438d89296a099d4dbababd781236c1b0e3dc6e83ab5701571253ae0 |
C:\Users\Admin\AppData\Local\Temp\BGYYcIEU.bat
| MD5 | a7e671e7cd01bcb84a7dedc8970b6c27 |
| SHA1 | 61d93b270ef0cc180ed08b6e4eb358b7d2ccb0d1 |
| SHA256 | f80e166121b7dc887f63160e3c4c038d9abd9314ed9584bfd5b5130a6f38787c |
| SHA512 | d237e294a55b0f1ba1328b90c95e9081828aed12e9af2472f72dfd134c169a48bbdabfc3dfd6e576ce719dd47ddf610d105e4480b8ef3a047b9c32b5bfc7ed5c |
C:\Users\Admin\AppData\Local\Temp\CUEW.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\agoq.exe
| MD5 | 2b8384d5387dde3dade1a0e479aa40b9 |
| SHA1 | c892f0e8a421f9bb5aeeb769a850283836851d4a |
| SHA256 | c8e5cf908fe56f234e39bb47141f0c8d770e5de1e687cc9c2c9487650f13a911 |
| SHA512 | f703258b51eca8daebc11260264b4a9adc29af9216aff39cf7f030baf52c0b25b0047f8e515b618136cdd6609f80bae37244f64458db73c567d1a3c90f874def |
C:\Users\Admin\AppData\Local\Temp\ygMy.exe
| MD5 | 69843148e33d0abba77e3d68f4924631 |
| SHA1 | 2b4477c8564a4d45c539ce6fccf8301b88c7430a |
| SHA256 | cc79a28db4f69b3db451d21233ba43ed4f4bf6d0484eaeb5c0135b283542f5df |
| SHA512 | 7008c3fa1e19e3c854b2ad7d27c7050165f6e7ff1c5408dbf438d1c070b93875ff15b4c85dbd342e5f85f8f1b4de4feaeb0c133a70537e2bf59c2e87ae838ce4 |
C:\Users\Admin\AppData\Local\Temp\rCIEAEAo.bat
| MD5 | 61471ac2b0a2527acc528f53f8acacbc |
| SHA1 | d5800a5805fecea8b6688ab8759b98cd864e94d2 |
| SHA256 | 16d356aa6765402bab03bf0a89fd3bcf6b18145af93e92566e4a268465a01500 |
| SHA512 | 5e247c0e80a194682d790a8d714e82722d81cd20b879ffa996890323acefef98ef777a916e26af6484a95cf174daa694ea8c30edbb1723df75fa02fe874ff745 |
C:\Users\Admin\AppData\Local\Temp\OYYo.exe
| MD5 | c4525e71f009492f8834cd5ec5b12f40 |
| SHA1 | 767ed4804fb3de5b2c31c44206de98e0d2940129 |
| SHA256 | d790477e925dce30e322a6a9067ac8fc14028ce0f200e614743ddf5a9edae0d6 |
| SHA512 | c562b81fef53903b40c75fd3d95e99fcb09e86e64c94fa862d1a5c60ab5ef56d21a7b20efd5c4d927273b567337a1e6caf657f9f69ce91e1f400c59f39683334 |
C:\Users\Admin\AppData\Local\Temp\KAoW.exe
| MD5 | 73296e9369e468a32cb3ccafba1e2a5c |
| SHA1 | 0689fe9ec7282b73a48b72e906d1be7f5e87314f |
| SHA256 | 22f9881f02835df0512dad565f34e52c566e0adbad179c9032387d90c8940bb6 |
| SHA512 | e9e5df2031d50a1ab45d4a680d0a5214e303df4357c0b07cde4efc4080a7a5db6b28cdccc10d146818bc9676215206baf5e1ead21edf197a01c5a6990586926f |
C:\Users\Admin\AppData\Local\Temp\eYoG.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\Kocg.exe
| MD5 | d867a50fafc4a8be25f4b6c7ffa701b1 |
| SHA1 | c4445763d6e70ee9fba50774790b7c2650f744ee |
| SHA256 | bc3e2447e7b0d04998d371a632f5fb5844efbe4479ae1b7cd40368374d5f8db8 |
| SHA512 | e944f0b073db9f4d1c709d23c6b521a4d9b88823e663ed07a7e2880b8fd613380178a8972f5b9a4fb126d364e80b2a1ff6b91c756f9707c89557d295725d2dbb |
C:\Users\Admin\AppData\Local\Temp\AsUC.exe
| MD5 | 241be398ebd38189f262310f7bf756af |
| SHA1 | 396f315de0b66d95a8f24dea69a8dfa09ebaf35a |
| SHA256 | 96178e73af13330c331485f14415483e667b3a212d5bebf979cf400e7e77bcda |
| SHA512 | 133ae9317031059ca2b8a539e59aedd992a21110500ca81966b922d95f6b96a853ec834b8426a5867c3d440c25825bf9d24d90933b0acea7ca52371f4a8c0694 |
C:\Users\Admin\AppData\Local\Temp\raAwoosY.bat
| MD5 | b4f2e6295b8292659c38b4687ad06dac |
| SHA1 | d65bfe97090811502c9f252129b23e40b46249f5 |
| SHA256 | af56c40da73a3de6745a901baa97377c9a0f4a9388ebff4c343427c5205af4cb |
| SHA512 | a6f74f30946d1e2a456e8959bf01d7b4554e5a22a2ddd294323751c9a9f1c57376da5ac785bb39b0e5fcd55ce469af696b42b7b633cb3e66fb854188b65c731c |
C:\Users\Admin\AppData\Local\Temp\ukoA.exe
| MD5 | d86157ee5b11fbf1ca39b34aa6bc790a |
| SHA1 | abe40f92edaa8355e8fe91f8860de6d2c5f2e253 |
| SHA256 | 6c2bf982a2da4ed559ca07f29963ecec877d2b70aad90409d25ee21e970e66b5 |
| SHA512 | 052f7c092c01ade8afa83a9470efc3ac2b4818df77e16e0f4d0e77274d79b0c9a3e5a2c825f15ea6b8209788a4143d44b195785f716af2206c1718e19884d32d |
C:\Users\Admin\AppData\Local\Temp\IUkk.exe
| MD5 | a1c833c333ae38d87adc445b3dabc139 |
| SHA1 | 199a19fd168a1057359984130802941573974db1 |
| SHA256 | ae3844298877651ad1cdc8aa8306f7c127a1f232b6efbeb5bf3244c8c89c6ebd |
| SHA512 | 0c9d8393f93305ae694a443e9e6015ac4038ad32acef87bb1e9d9d847fab5d12c3bd8aa282f23b1c5b9442753ebe82dd0adb8a1bbf4898eecefc480cc1fefc68 |
C:\Users\Admin\AppData\Local\Temp\IQoU.exe
| MD5 | f41bccdf2d9e3af74f48071ebb35c1e1 |
| SHA1 | 4c7463a38ebb8fb3e424bc0864a022bf7e946dc1 |
| SHA256 | cecdb4d40762dc5892bca131baade7f811b186ec450d4697f0cc2e0a3b48168d |
| SHA512 | e66c9dd8ab858230855ff30aa2a36e0de1604846296830537764254697b32c1495bf25545cea4f34abfdec94e40f85200cccf413685d339bba98a63f24818e12 |
C:\Users\Admin\AppData\Local\Temp\CoUU.exe
| MD5 | 627c1cb16ee80da766d590395f06e832 |
| SHA1 | 1a658a3a5d922d63bff024814bf03fbb781575ee |
| SHA256 | 5803101209ff1a9e62762cd1fdd156d4e94308223baa6aaae07325eb2288187e |
| SHA512 | 88cf99b79634d2861d1589876512dd27464a115453247cee5029199495742d697c072cb0916382a3ecec8b06707399a057b03bb87c27001512245b9fb4506352 |
C:\Users\Admin\AppData\Local\Temp\SggW.exe
| MD5 | 93e05389549369de4a7b277e88423ec1 |
| SHA1 | 22f6945bfa1d292740c7167ff1b6e43934579939 |
| SHA256 | 7b35116c1f891f82bfc625dbfa31648a265fcd3a83dbf762fc048130a905dfc6 |
| SHA512 | 259d824807dae2d1a1c8f2c801f608373ade9ba18b6db0633326af9aee2b03268f7434a07bb895247e09135b9c2352f414484e5df76f4ebf70ce26624173228d |
C:\Users\Admin\AppData\Local\Temp\OCwAMQgQ.bat
| MD5 | bd41dbbec023644ed60b513531bdde65 |
| SHA1 | e7e6951e67acda054fcae51a1d53316891b95b4d |
| SHA256 | b2963bcee90d719ff4124b65f1f565928c2659edbcdc573f232ef6684c1910c9 |
| SHA512 | 9f6054de0b83786c8df349516ca6b67e76cc869ea71b26417cebc0830a656902101b67f5b771eff248a5857208d17e60114c06639dd0b7b47134a7c609446ef6 |
C:\Users\Admin\AppData\Local\Temp\AkkQgIsM.bat
| MD5 | 4fee1019a4a8f78cde08e365c5ffdfe1 |
| SHA1 | b2928ea88c060e7e1943015756e2bf624cdb6f5e |
| SHA256 | d5847abe1aae73c27101f5f8162647e5e10e3fd924af1c679babf202a7f9987a |
| SHA512 | 60a3ca0cf5342a8f194be09440e60d47ef0e7af78f5020991f70b8a3f62b86b3f6c2e44cc501c9e399cc56fed470de475106d0e4da0eb3b713181f53747b533f |
C:\Users\Admin\AppData\Local\Temp\wGsYIAgA.bat
| MD5 | df94b8fe26fe35f8c3fe54755faea7e4 |
| SHA1 | c7c7ae45745527c4b14cf8a7c75cfdefdf4d888c |
| SHA256 | f67c168d36b6b41ee97bfaa8cd867e0e17a87287a049f9a60131c0baac06208a |
| SHA512 | 976eddf90aec46526a7dc0b4af2c1774d2fe504498b61ee2a7baaf38a57eaacbacbed3c1011bb60bd2200f58a0a092463dbe18dc36e4082a1348ff02118bdc26 |
C:\Users\Admin\AppData\Local\Temp\PYwAUMwE.bat
| MD5 | a2b658d31da867b5cc643e8cb2b97b1d |
| SHA1 | 1aa1edccee7aea1e137eeaa21abc3b21fc8dca5c |
| SHA256 | 1c73cec8351b68f7457fc1bc24591b44cfade0661de621e8d9b56af2b5347748 |
| SHA512 | 0ad0c2a4d2587330b1224a68f0b51cac3f855ef3cf8c24f5d98bac8547f50f33eca6c70e70ba39666d9f49d730ea43e6fc37a9762aefffd9f6a2fbe63237a057 |
C:\Users\Admin\AppData\Local\Temp\beQwQYok.bat
| MD5 | 4472428787ab7b3f5be37013b93843a7 |
| SHA1 | 62eaee3e8c540e7adc047d6cd63e28ed7270c203 |
| SHA256 | 34fce2ee97dbc39087b9b00912569c101150a3f23011ffe5300c50ab731ff1b8 |
| SHA512 | 96b3197d866f3ee27629195c476624e20bd1dcdde36e68e91b4fd30378791af35f52b5fa89b2d72c5e637f460ce1ce2a0bb5c4f6230b1f82c455145c652f8e8b |
C:\Users\Admin\AppData\Local\Temp\NEogsMow.bat
| MD5 | dfbece28d253cfc150395b4c8e37b67d |
| SHA1 | 7832bd40ffc01d0680df4dc89a008bcbd70a11ed |
| SHA256 | 30ef3426d7aa965bde07341c4a7889bfd075021e1fde41f298502896625b03b3 |
| SHA512 | f0d73d295285ab0222f54d94aea6df4dc1ea2f5b116bec331453c017d3fcfa4199cc512e0aacceccc323d4f546123106feb1012d46f09a501a43917adbd747f7 |
C:\Users\Admin\AppData\Local\Temp\VYkkIgAU.bat
| MD5 | 6b623ed80952d84752280ade0342be76 |
| SHA1 | ff6715379fe60805b95b626d301425ecae6612c3 |
| SHA256 | c5322b4f5624cf35de77371ad68009f69f7a148e0b6963fe67d0c57c79d7d2d9 |
| SHA512 | 79465ff363db4ecc4729306c2e15492704a87b2607ec24ca21b1951ac887fb7ebb3a5af6e99384f33a6af6475ccd3f4602161dd461ff332fca2a2f1797524e7a |
C:\Users\Admin\AppData\Local\Temp\IisMwEEU.bat
| MD5 | 07d43266b33c07c17b8cc419907173f6 |
| SHA1 | 1a01587101f45db3a634c83d3ef8f1bdcbdebd4a |
| SHA256 | 41059713b8f9df3a7aebaa7729b51a60a9faa05ad39ab76b05748f790d9121d1 |
| SHA512 | 32723baee599191194f4f2b245e7c6ba51e16e402cc71966cd2816cf95794f4fa0e0ffafa33676598f1e8ff4cbf75b53835868cf5c21bbccab27d75ce91ebfeb |
C:\Users\Admin\AppData\Local\Temp\qUYMMwgI.bat
| MD5 | bb0375a2901950e1b5a738b6bb7ab46e |
| SHA1 | fd448b3653be31defc3c16e1031501689d077b8b |
| SHA256 | 5de83bd2264c8813f266c2161074bafdc32cc4ce79e9d154b090a124b582fcf9 |
| SHA512 | 50f444cb6a7dc0ff0c8387e38b88149aa176cc40be1d8cf762088676c161baa0b04068e6f1462eae3b73b7b8ef4353af84f48fc7328c71377e92be889bf30aee |
C:\Users\Admin\AppData\Local\Temp\IMQQQwMg.bat
| MD5 | b710772d76f4601ce7155eb59a5a5561 |
| SHA1 | 2533f86afbb99138fe0bbf7fbd5e9f7c93ebf854 |
| SHA256 | 9d85b943124316ffc72f52b558c42dd2a3ac576e52dbcbf952046202d2be7b72 |
| SHA512 | 118a94714979ef7df6ce953fee2a72374825f0a760c79945878889a1b271ce11326edde5032e5c1044372322115bb34f060b4415e177aa940a2a3918168edd00 |
C:\Users\Admin\AppData\Local\Temp\uesIQowE.bat
| MD5 | 99d349944b077960f95148dcd46227b5 |
| SHA1 | 23aea41408ab6e69d0d481a0b13d792ef5553009 |
| SHA256 | c7f8559b05a3db91dc11d6424f61ab815fa23b7b2e2f29832c51c2bee70489ec |
| SHA512 | b9d12d5f20e6ac969cb6e8600bf2e3b6dd1839c8620872a4647d8e3bc3ed4abc9c791e1163b360f738d378ee8d5ce92a929fa4d830136741f06f5d2e92051400 |
C:\Users\Admin\AppData\Local\Temp\husIMQsM.bat
| MD5 | 72332ca1b469225f582c7c7362187572 |
| SHA1 | 5e320d50f2cb4b85641201b70d8de2ab231a7973 |
| SHA256 | d99d19ab71262bd0fdda5e6a0f0e983d2432c9084f58b044feab2596b2e546cf |
| SHA512 | 2b387dd1c356c96e47031a9e467db159ad6fbf6c5c16ad09ad90659d7ed27dfedcf66878d37c61ecf50bf1ab166bbf57e47c4aeba1e68ad27216b3ffaa984af2 |
C:\Users\Admin\AppData\Local\Temp\vKUsAwIA.bat
| MD5 | 3341a5b4744ef04463fc92c5a7646fc4 |
| SHA1 | 884a5732eee7afafc8c6cf5c89464ab47896f102 |
| SHA256 | f1a85ede77b77e86b7f9df192b04ddb2035294f13309a743e457ee349e27a10e |
| SHA512 | f3172b613b5f41e1acdc1890c5fd3c28cb66c7af846325f6420154cd5e447ccc8ffbc81ec25220cd2c8b47f6e4e99850d9ffa29a73b5d9e897201ad80fe74c02 |
C:\Users\Admin\AppData\Local\Temp\dSEQocQU.bat
| MD5 | 6fb38e9fc6c77fa82d56c91580dc87f6 |
| SHA1 | 5ac575448b3a15494f4242c18d4c027f6f0cd963 |
| SHA256 | 77d2573495bc1f903d911d4d7a494722822882d3279e37e44a7485fdcfdb5c43 |
| SHA512 | 2d47a8b93a681c1f2dab9058627959dd7991c7fe1bc9b964d6ecfd84342096a065c598adf78b835b19c5d34ff7fd003b9ee2a8dd3d8ca70f1c6d75e95d28463b |
C:\Users\Admin\AppData\Local\Temp\rygEccow.bat
| MD5 | 7f5291aff92741fa96ffb902de57af81 |
| SHA1 | 32553cc0d85d194ffad7c3791f84e33e3b41b8f0 |
| SHA256 | ada3d157ef679fce9f45057c3a2f7b7a9d423ef63feb1fe12374ad4f21e2d9ba |
| SHA512 | cb8d1198dcc0811c1ce0f2a8cbcd32b0a99f2f9a285c659317ea22746f147182f278c66021759abeea7c15110c20aaf3463864bd77d49419fb963460946c7de5 |
C:\Users\Admin\AppData\Local\Temp\qWoYgMEo.bat
| MD5 | 5ee912bb2b95981493e4574eadf39627 |
| SHA1 | 1935a77f90acfcbeb19657dcfdafb6e52d86d1d9 |
| SHA256 | 1851271881a4a721fd7b751ac3d81fe827964c92e782c60fbc929f78ba146033 |
| SHA512 | 8f859fa67a437504ad03de297958b82c33087c341d90aeffbfe3c7267efb35c90bff0ee4a7b034b21ddbc0b2fc2bf2a0312b73927a615934d2f841c40298a2b8 |
C:\Users\Admin\AppData\Local\Temp\oewAswsU.bat
| MD5 | 4669146b0ed2bab4a8b13ba014c7b921 |
| SHA1 | 8cabefa5d36d4dc5950a79cb57f674df60dd638b |
| SHA256 | 83adb0e018bd50e073ba7ad3bd1251036ffd0059f14a90f207824c957620d550 |
| SHA512 | 89605ae393e4d6ee9f4b2a3ec63f437911a466816cfd360c205d132bd47129fd227947238671cad6cb3e7173a27b4a02eb719e6241d942fe8a3f54fe57ffb75e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 02:42
Reported
2024-11-04 02:45
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
137s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (84) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\WSUcEAck\liIoUkcI.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\WSUcEAck\liIoUkcI.exe | N/A |
| N/A | N/A | C:\ProgramData\LMAwIwsI\twQYoMMs.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liIoUkcI.exe = "C:\\Users\\Admin\\WSUcEAck\\liIoUkcI.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\twQYoMMs.exe = "C:\\ProgramData\\LMAwIwsI\\twQYoMMs.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liIoUkcI.exe = "C:\\Users\\Admin\\WSUcEAck\\liIoUkcI.exe" | C:\Users\Admin\WSUcEAck\liIoUkcI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\twQYoMMs.exe = "C:\\ProgramData\\LMAwIwsI\\twQYoMMs.exe" | C:\ProgramData\LMAwIwsI\twQYoMMs.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\WSUcEAck\liIoUkcI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\WSUcEAck\liIoUkcI.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\WSUcEAck\liIoUkcI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\WSUcEAck\liIoUkcI.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"
C:\Users\Admin\WSUcEAck\liIoUkcI.exe
"C:\Users\Admin\WSUcEAck\liIoUkcI.exe"
C:\ProgramData\LMAwIwsI\twQYoMMs.exe
"C:\ProgramData\LMAwIwsI\twQYoMMs.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWgcYEsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAYwkcAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYgYEQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuQgcckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAowEgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAYUYAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiMAMoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmswMEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQAgAIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOYAkgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGUAQgYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYUQMUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUcIYQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWwcoUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiIIoAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uswgwQoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWYcEEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyIkgQwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWsYgcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIQEkYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuUwUEUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgYMMIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGQUYwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoYYsokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOcQEwQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEUAMQgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwMooggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEAoEEYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymEQUoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qywQsIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssAIgoUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SokgIEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQgAgUoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQMoEQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWkwMwsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hugYUEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAUcMgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYsAIYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCEQsEYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcAswgAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmwgIgEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYYsYoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwcAAAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYgQAoQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISMskMwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmUAoEQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmIAYQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQIMssUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIgwIAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyMMYEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKoUYsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AicMwkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auUEcEcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqIsoIko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEggwEUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQwUIggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEEQwswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckoIkQwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KasAwgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buQEAIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEkkUogg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jycoQEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQggwAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amAYgowE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCAkAAoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOMscoYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOAkYEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSgwcEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWMEUsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqQUEQEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQokQYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUkokMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkAccMwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMcMwUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIwcMQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEcsQoIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouwgcosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMAIwUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsEsYkYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIoYUooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAEsQIoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCAoksoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FywgAcog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIQMQkgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaEYAYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQAIwokk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmsQQYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoMssYIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqsgYYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boEcAcYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuMEcYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgQUkUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycogEUAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqQIAoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQsIsksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkQIcUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGoUUsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmYooYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wgokkows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGEAgoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCMIwYMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYAIQgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv nBDEIIwjFkOryAjvQ0MHLg.0.2
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwYUoEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKcYkEAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYkYQcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGgMssUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 142.250.200.14:80 | google.com | tcp |
| GB | 142.250.200.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3580-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\WSUcEAck\liIoUkcI.exe
| MD5 | c9c85a2fd193f99a6e178ba001a9e51a |
| SHA1 | 2eae121ee8214867fbd1df09efc4408ae28566d3 |
| SHA256 | ceae9dd9dd51a29db73d053bf6f5e76136a1a60c190e6d5399058887133f955b |
| SHA512 | 3dc8bc6f98e5aab8203e081f495c56ca814319cc86a318ab58b80d41ae1695cf852aefe92e52fd1fee0f11cc5fcb04cbf5e3b0a8a18a43443e4ddf144975fb70 |
memory/1944-5-0x0000000000400000-0x000000000041C000-memory.dmp
C:\ProgramData\LMAwIwsI\twQYoMMs.exe
| MD5 | 97d25f8c4213cd68869487771b2676ca |
| SHA1 | 8f1364ec4a5f1680ac34b0d14589b54ae3c89169 |
| SHA256 | 38242012ecb0b0f586f70656bee35b45fd4c3a6470effff05caf361651218fb1 |
| SHA512 | 373612a8a184d2ae5f28368a6124bbdbd9a766fe76120210b9df34d881e3bb6276773d2fbf40cdbbe22e2b55db8a492e4caea50d615ae09704d93acffeb28a2f |
memory/3536-14-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3580-19-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eWgcYEsc.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
| MD5 | d342c2b5f3d16dc992db22cb737ad617 |
| SHA1 | 615a98744fb22809454b706174597a4d6b6d128b |
| SHA256 | 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486 |
| SHA512 | 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/2356-30-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3612-41-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1480-52-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2664-63-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4304-74-0x0000000000400000-0x000000000042A000-memory.dmp
memory/864-85-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1156-96-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1816-104-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2312-108-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1816-120-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1864-119-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1864-131-0x0000000000400000-0x000000000042A000-memory.dmp
memory/864-142-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3668-153-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5068-164-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3460-175-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4068-183-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2132-187-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4068-198-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4480-209-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1864-220-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-231-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2588-242-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4292-250-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1620-258-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4612-266-0x0000000000400000-0x000000000042A000-memory.dmp
memory/916-274-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1052-282-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3424-290-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4980-298-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2980-306-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3580-314-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1496-322-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2668-330-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5080-338-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4156-346-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2884-354-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1272-362-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2816-370-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4340-378-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2540-383-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2176-387-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2540-395-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4536-403-0x0000000000400000-0x000000000042A000-memory.dmp
memory/408-411-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1424-419-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3060-427-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4600-435-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4608-443-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3752-451-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2236-459-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4548-467-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3240-472-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2176-476-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3240-484-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3860-492-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1140-500-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3576-502-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SAQQ.exe
| MD5 | 647f7ea75cc578096491b046e1fad9b3 |
| SHA1 | 026f9defeaa6f9ac73c8cdcb29a9c6e75dc7a7b0 |
| SHA256 | 01980e355a4717041ef680dcb734fcb8e4fa466ce005143c4063a8101062b0b7 |
| SHA512 | 9f906985a6bbced0a65d42844daac25487ec2b01792ffa6a936dad1e9a949dfe87a5428797c65464347bece56749ea2df8ec6215527b7aae336732bad77e73a2 |
memory/3576-524-0x0000000000400000-0x000000000042A000-memory.dmp
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
| MD5 | c0dec0a9fb0ab97e65ea39f08d1d7dfa |
| SHA1 | 3ee9c4e04471dd28c7d2069e2d72bbb34e13b453 |
| SHA256 | a868447d950fecc0c197c708bf7277dbeb72d0d833b06c9b17c8e16a7b5065c4 |
| SHA512 | 63d1b5e6d595039f7903f20d254892ce4d6a53f9cf9e12646f99e7794d704ba0362a2ff5a6f22cd4ad0fdb3cbc75e12078f5e2a3f30aa0a1575f186b8ac2a1c9 |
C:\Users\Admin\AppData\Local\Temp\mUMS.exe
| MD5 | ca505934c306617570b8bb995f5337f8 |
| SHA1 | 27d34b3232a93cc33beb19c5a024493f9e109505 |
| SHA256 | f637b68ad13e413d082e07668ad7bd56b9cceefcac0d69bae731b4434f28844e |
| SHA512 | 5f4a37963bfa9582a53c0e9fcc20f4fd863f2880a0136701a0a60cfa846d25947de62c6a256b98a50b689ad77231a36a16b9ef646df2819a82692f99e0af8c6a |
C:\Users\Admin\AppData\Local\Temp\KMUw.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\wAYM.exe
| MD5 | 79168973721fece79d92f59e9b1a4e2a |
| SHA1 | 3b77be9bf977c123ecf1dd5273ed1536aa82203c |
| SHA256 | de18a287a66e87ea2fcdd6560e73c20fc7ebd85e683b36f0d9f725232e087fe6 |
| SHA512 | 47e8c67f367ad39b7ab3e335e39557ec0f30578c8c0e397fdd947c1747c186a1bb3389163d318cc3ee292ae16b5f0b95e38e47093f254439b6ece264b096375d |
memory/712-573-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Scow.exe
| MD5 | 591eb505c57aa5bd5f1247b341f88fc2 |
| SHA1 | 778bb7718ae72764aaab9bcb3ba6e5df98b8bfd1 |
| SHA256 | aa44189bef75a84dcbef1e2876cc12982ddfa2686691c2b7ae11cfd17d17de49 |
| SHA512 | 444076ff61b19aaa68cf27be9c06fde2b55e37c5d86e90138091724f4adced9f3c5e5c509341a5acb7d32471ecc1f0977e8f277c28cb547e569837223d76cd52 |
C:\Users\Admin\AppData\Local\Temp\OsQU.exe
| MD5 | 70c8ec912950f62f2d56baf3987af636 |
| SHA1 | 6d9e6f03d0d1182730f173b4d446ab43146835f3 |
| SHA256 | 32859d50d99d3e02dcc030130fc25c4ef9e5a18d5eb15bc40146c6add912c544 |
| SHA512 | aacef63ea609486678aa481713059ba8f1e10610c69cf9e5580eb80da7966a9ad622a7c1ad1e0357fd753e607cb45d2b7fa35d1be68cf62824a90bc725965682 |
C:\Users\Admin\AppData\Local\Temp\QgAY.exe
| MD5 | 1db0f7a62c2a459d31d7ad6bfbe502e4 |
| SHA1 | 8b3e21338b01f7c222b09b0310f764c3183b4221 |
| SHA256 | ad6a00685236b7657056c3abcf3eba8b6ac142e1c02fc2347d31288051eab831 |
| SHA512 | 9b270b711a0d8129d75de2ab7b9d61da17fbd6219ba9ebb72211ef91104189dc4b58b13157841d6f3ae7891696f94e1fb81202ddc5306b34449aa100ee1e3889 |
memory/452-623-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3512-624-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iYIg.exe
| MD5 | e44d52bf6495c7b90b9f4809d1602e48 |
| SHA1 | 6c4e450d8950d2b59af994b144f7c0e1635986d9 |
| SHA256 | 6a0cc7e096eef506f488eea451d5d69e4597385ab5cb64e33f506d0703955df3 |
| SHA512 | 8ccd41ea71a4b174de589e9561c088cb5408bb24059a0f8120162a72a67c66c736e4455a074d2c404c367ffe01d8df5f9a929fd8299e466cdd046a49e98b7cb0 |
C:\Users\Admin\AppData\Local\Temp\sQoe.exe
| MD5 | 99648d5a032740921f0d22afc8ad2083 |
| SHA1 | 4b3227c2c995c46702252dddfe0c81ad1e5a7362 |
| SHA256 | 8facaf6cf808cf5b0f17298927dadcceff1ccd646f6f2e832ab3c7570f99adce |
| SHA512 | 1f75407094b7b3ec22cd72e3d7b958a0bc5676da7f5ed9cbae36060b50bf08468b45d9e5f5c9bdf5e384aef48c21f02c81c8f2876a6bdaacb33cf041687844f1 |
C:\Users\Admin\AppData\Local\Temp\yIsS.exe
| MD5 | 0425dba2da133dfa90dd4354deacb9d9 |
| SHA1 | 35cc393eee488188af3c88a9ea189c944e1b90f1 |
| SHA256 | a045ba9c4eb32b83404a513f14c0a5698850e1095c6d2101ee5d0d17d2998645 |
| SHA512 | cf489ea0a4f268f51b4653e483f2f3aaf70c3f2f937d7202ae097ac9b23f7eb087cc648ae9ead6262abe5bfad0a83e34b178b345139fd3f1757a228372773074 |
C:\Users\Admin\AppData\Local\Temp\oowS.exe
| MD5 | a5885ad025ce9c5bfb3381bfd25328c6 |
| SHA1 | 02a7483a34a8d0a62e228091280c674eac52561e |
| SHA256 | 9ae848b298bd800e28d0c5984de140888e776a7c3893fca54d34880532db411f |
| SHA512 | b88c4472f1e16a6b8f454fe191c84e557423950ab234196d80763f3616a79f35ca204e0450c497c3ffb9597b060cb9fd712fda2b782df0060a5028cdfacf3348 |
memory/3512-674-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3080-688-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kQUI.exe
| MD5 | 028aff8bd4f223881289500d295fbc85 |
| SHA1 | d776cbb359aebc99a146ee8fa85d4f419d8ef1d7 |
| SHA256 | 54856003565295d745c2607a2dbcd53f7f6285dbf3709886cd9a1786195f2d69 |
| SHA512 | cb5bfd5178015de43d47c4533effe5f6a4a2fe46e4e587951c311502afc2aaf0da63659b92d0f1595466d4786d99f32305d2e9b4e3638db047f4cc19d41a260b |
C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe
| MD5 | d693a7f9416b862d3766022b7c219b58 |
| SHA1 | 748a9e7f61ca3252fc6d1c3c95e1742403efbf44 |
| SHA256 | 8d92b3442c96191ed917bb4ab3dc2d9ac684016bd85bf6cc619a3d20bf3ce8f3 |
| SHA512 | ae058073425ee1ca036450091ebcd98b1ae4b712ad705e2074022454c208445d6af1178eecdb3038ea2efcc98b463349c0781947e81a60729f25e1e14788546d |
C:\Users\Admin\AppData\Local\Temp\osUk.exe
| MD5 | 9969e3c8b44cee75d840515bc1bf7005 |
| SHA1 | 0ef26ecfa2edfd8150a65743f3e818a2698a06c5 |
| SHA256 | cf58bca4a7d984bbf99af3c9bb3173de20086dfa664ed933f75deddbc7bef06b |
| SHA512 | faded045fa494d0c6a76530ee52e0541fc4587aa8d0b546bdcc825df84646a9adfae2718a42053f20e9e6325e086ab4dadce42d12858100ca5ac50a1acfc473a |
C:\Users\Admin\AppData\Local\Temp\sIgy.exe
| MD5 | 939c89b524dd30fc157e86e570d5d0df |
| SHA1 | 812546c2871d650bc0c07924ecffd3a3ef1a7201 |
| SHA256 | ea01cf33f8f248321cec2525cc835eb040278077159c42260aa477e80bca7174 |
| SHA512 | a9ae8a7324cc89fb08018c52ea87c6d1399283cc67b650d6216948e0684fef0c40c570d5c1b03210a68d039c234981c364ce93ce997ed707f5b6747391eae9c9 |
memory/3080-752-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OQsM.exe
| MD5 | baa8fe5442d326acdfc57e522d6eaa04 |
| SHA1 | a8d7166730314e6fb27c4c270742f17434dcb0d9 |
| SHA256 | b5be1836c756cf1016e76b725b8ff17105910481d1bd388892c542a986756273 |
| SHA512 | 3d3c887c591677ffdfe8758f25f3d3eb427f268bfcec7bfb3ce017c107cd72fa191719dc3c05a02f56180c12655a5e8d1adc10d210b52406ea5a9cdf70d6df71 |
C:\Users\Admin\AppData\Local\Temp\agcS.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\ssMU.exe
| MD5 | 35a5a6c2662671d2a1003440e74e3c70 |
| SHA1 | f4587b9013ce5a025abeed1e770328e15551584b |
| SHA256 | c42bf5331af59ad396282999a959fa8ccac6184e91002cde22cdd40dbc5d4cab |
| SHA512 | 6bd4281c7fdb239b55defcbc7d63013ff4a367dc4ab46011856237293e1566c1469af4548ea8d7d0275dd8383ed26690e328403632d04d1e3fc57b8ff52c7de2 |
memory/1672-781-0x0000000000400000-0x000000000042A000-memory.dmp
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | d4d642d321b87aee686b6632c12824f9 |
| SHA1 | 49e825227d0ce2eccf9492c9fb0a317860ae68cf |
| SHA256 | d5e3682d5f0f5a95b6f39d21bf938a4b7c48f0a29ab5e527bec33c40b5784dfb |
| SHA512 | d5168c464d67d61e33d9fbc0510f7a288173f19a40a434592baac3621467fa63efc730950a4499193fb0c3af19e7e0b21801dbadd8f384860c1c6f192dddebdd |
C:\Users\Admin\AppData\Local\Temp\kccs.exe
| MD5 | 75a7bf928b4723c6b3f09f590b781f39 |
| SHA1 | e62fce94d097f7129dfc5b56ac7e06bac18031b0 |
| SHA256 | d779e454690b10a184a5881bf8afe87de561ba3dabe523ed85a09fecf788dbea |
| SHA512 | db7cffe0d99ceb8bc2bf63159ca7df5382e98cbaaa693dde1a22b38640f3c64f317434023018c540b7e2aa882e0f8bbfc36e9a826ccfb711b4020a5530282413 |
C:\Users\Admin\AppData\Local\Temp\oEEA.exe
| MD5 | 012d59ee3acbae999c8231ea70bd798e |
| SHA1 | 76d5f04b748b8d2c7f0bbca8b77987e704325de0 |
| SHA256 | 46ccb1d52b840dabd2857921ab796044e67ff8353a96d3455a1f97e62997d379 |
| SHA512 | 484ec31c7cb555d622c634996425707d7758552d0511d6d491b00211727f89ca4093dc9474d38f34d544a14a765af2f6eeb9754832136b95345ae7a44a036c32 |
memory/1672-831-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mYoS.exe
| MD5 | 67c0fc85570a77a410a93774a34b3df7 |
| SHA1 | 40b43f72e69762bc6d76c9a5ffc2d90b93f3b29f |
| SHA256 | 42785a92daee862e70e563cb856f0361ee039e9bba01dc61f28ac0d96ae60772 |
| SHA512 | 536a110b86d97e685eaeabdbf9a8abd59ab659f487d3597bdfdf74daccce23b98b7b2f72aada0e46e36183cac597fd91f94c4a47fea979935fd7a9e256648ba8 |
memory/3900-851-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\awEc.exe
| MD5 | 557b55a9471623e4c11a3f429cae7221 |
| SHA1 | 85d1876a55f34cbc53e86c33d375a01829fd115e |
| SHA256 | cc56dda632fc6782873cabd8f3c9c406cfd51ca87f6dbbe9793dc6dd777e682f |
| SHA512 | 2d3ae844a2947ba7c1eeb41bd5eb9119e24a9e5abdf211143e12318b35b691f2b41d9daba6d9d7edc82a29b6da5fa67cc5ea22c8c5682bba8f07fa73a0bda56a |
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe
| MD5 | f4076180074dc555ff80cbe452050a20 |
| SHA1 | dc1c311bdbf43fcc2c7284ddfc53fa0616df7413 |
| SHA256 | 02cd85d5dc1d5488726a0f11e957e0b8973a640dd3a4e31ed107324340693816 |
| SHA512 | 9a881abeb407aec963d179e4eb4c81cf55da3d93144c54cebad5e412b18759d2d9106f17934f6bc98192688c2795d74acdad17479f06a979cdd0b9665768d64a |
C:\Users\Admin\AppData\Local\Temp\cUgo.exe
| MD5 | f51fde273cb7b6c5e56b03aa837ad7da |
| SHA1 | ebff319ff27d4b64684fb6160899889beffbfb78 |
| SHA256 | 691b9b6da257068a33e352389db5b6e4ca8e1d1de6b586612064a23dcfa8e3b6 |
| SHA512 | 2aeb99b1a152e0d904bf80b64d224be0f7b6c2abb6cc3b6cd52d7fb8ac948a2eb47b0b14a1031a4304fba05c41438fdd099ea8c5664a764091652bf9564cb6fb |
memory/3376-893-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3900-902-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QIcg.exe
| MD5 | 242630376cfee9ae0ee78e8e8c20898a |
| SHA1 | 4ed881881e9596526d4edff65bf320b9bbe044fa |
| SHA256 | 6422a9edba4e2386a1efa8b0c5fef34c4a046205730b5c1b3e4bdf6dc8985941 |
| SHA512 | 0965da3668bb7a5928db9008b8d42ac6320126c6b3514eb16b8a4e20d6c8acf35302c83f57ce6bf1227d74ff4ed80cb2e8d6784846eaf8d024adb8fb9a199fa4 |
C:\Users\Admin\AppData\Local\Temp\UEQo.exe
| MD5 | 6c9132d01934ad1da14e53596c7f52ee |
| SHA1 | 92406ec97e91824ed57222daee87355f6edbd990 |
| SHA256 | 27741c3ed54f75a0e32443bb3989a85be7b515de3566dec2039608e491876773 |
| SHA512 | 552acee5e6e4677d7a683818e626c80941f2bef44ec095ceadbcd60be75cfcaa98e8d333a4cb9ff7609baea41e68aba548775dd59c18f2e8d70affaaba9dd0e4 |
C:\Users\Admin\AppData\Local\Temp\AssI.exe
| MD5 | 4ff44968f478b167625e94e608b56140 |
| SHA1 | 0d7baac46d2705ffea6b15747f259772d53177f0 |
| SHA256 | 9142ebbba5dfa5d1f5d7edb8def55844da7d44984a8af10c73e9f3e6b5b52742 |
| SHA512 | 0798967d57e96c284a5d5d43b6801f52d2ca43f67929f7cad012e58f755419092d854bc49811bffb3170e09f2ff740e04d01cc8c22806ae71d5ae8d2a428ef75 |
C:\Users\Admin\AppData\Local\Temp\QcEs.exe
| MD5 | 371978002afd6057d2430f8ecc9ce023 |
| SHA1 | 015dd962994a25a26ea0cd9eedcc303a44b2d4ab |
| SHA256 | 200d64f8719b91845de64f918810d333124cec8c3ceeba084950c63650dc1625 |
| SHA512 | 99432d079f6384ce5a8cf9d9c2512aff82341a0c7e21d0cf388c91a5de7afc993bbd0539f8c8b64de223b96db805ab0b9dc69e035f904956885d713a4d3cc0f5 |
C:\Users\Admin\AppData\Local\Temp\csIa.exe
| MD5 | 903e0c64e0534c0ed1fe2ee5d776ec2b |
| SHA1 | a148f21254065e92453d712a4d94c933890e951f |
| SHA256 | 3b325e74cf563eaddf6de173f4b454164dd7a14591b7aad0860886c4e9cd4cdf |
| SHA512 | c6dabe3799eafb69b0816c203114b3a817fe915ff79c6400275e91478b8990aa9a428602a360912c25827e4f73ff0375b31c8befb7142c72442770608521a796 |
memory/3376-988-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IsQC.exe
| MD5 | 49489f895702c0d72eeef2309b1b1535 |
| SHA1 | d94273b997b73f7285260bd63d9cc58ce4ec7cb1 |
| SHA256 | 2fd9328061c570ffa54473c945d4fb6e5dc4a2419f2edb9ff81ec741078f6a62 |
| SHA512 | b78299bdf49790a5a967e0aa87ba22b7e1abc04769f44b222e8731747f894371d9e654a4c5bf80958d64355125cac15de3d2286ec3870ad0801ce0a3dc71b2bc |
C:\Users\Admin\AppData\Local\Temp\YswO.exe
| MD5 | 52e10ad401df694f4a02c8eef706ef87 |
| SHA1 | 38f619e39c9e8ef7e95acbf24f8ee89030617a1d |
| SHA256 | a891857417c80c43433173ed0e0cb44c9af8561a9adae7bb0a4fc4b70cad6c10 |
| SHA512 | 11a93aa0c4d28a4718e5f4369a271d4962cf93ec633f7b7a3ef288ffb0f5cd7d42cec3ffe6332eda0585e321f9d39046f5bc910ba9bdfa0f5af442a913375204 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
| MD5 | d08f030a30188e3590e8ab42b75eb5b2 |
| SHA1 | cbbb729c3b1ada77507be2c27e6eac7efdc7e282 |
| SHA256 | 17f8b463371b4792d015a1e070ffb35a9d77b71603fba334a32226c5bb543fed |
| SHA512 | adb2ad99c3b13bc4fa3b8823d49aac4eb6759a844eb91dd5e8926039e2a0367ba2202b270fe7e6e87db347e30128d737dc0c492f2b37f297962dc653f520bd61 |
C:\Users\Admin\AppData\Local\Temp\EkEi.exe
| MD5 | 1d67a2d598f2fefcb383b30b0cda7ed5 |
| SHA1 | de65a7efd855dae7e540bbc9680dc822bb48cedd |
| SHA256 | 979d58903f00499f4dbf13375bd0c76d86640dbdc0b09e18a4608abe3aa3b3bb |
| SHA512 | 5defc7497308fae53fe1e0166d5c3d91c817bf3af330c6064dac70c36a3764ce55063f799044415cc69a9eb80170a99e6ce46c282cd4cac8ccc6f96127c72973 |
memory/980-1039-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IYQE.exe
| MD5 | c25456882aa2be6e7b37a954dbf5e3ae |
| SHA1 | 035d8d062c64c8f1040c9e22ceaf0bdb84be214e |
| SHA256 | 591b83a8cd033ae52e4c4e5959b3d024d48ab6f27b008f0e918651bb6ff114f8 |
| SHA512 | 22d12b25ada2445d1cb9832016574ebd5d67c06f6a57e0971b039e0605c28c9805503b30a3f9b789f054ac3a177bc4207baeddfdddda23dbb5e5ced76b60e4e0 |
C:\Users\Admin\AppData\Local\Temp\SocC.exe
| MD5 | d71351b3031514403d674774b66ddb75 |
| SHA1 | 6a2e3e314549eb99fec789d86330219762a62128 |
| SHA256 | 3406bc9c8c3c5db052698d0b3012657c5fab67b92ebfbf4e2c1f3984cd27d06a |
| SHA512 | c8b4e6d47bfc1bd5f69be07cf7366f58250be0a6e1d260c2cca98ebd0d0d8fff7a2e90e5186cca6bc594189854df1c966f591386432d2c0e26de88435c51b7a2 |
memory/2124-1075-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SsUi.exe
| MD5 | fc52ce86c17c9591e225b3c5a73eee5a |
| SHA1 | 6ef98cf40b619b491abc78f5c29a0a3e75cef0c8 |
| SHA256 | 9f2dfc74bcc8cdbc696a2ca74fb8170c2df8b6bfc4cf6504ab86515ae57e0c96 |
| SHA512 | 68f74870405ff6e1143dbbfd42fce0e00831880f49f76023ae44e5ae4c74121d66b746cd436f54b63be54884433debb1c33d55729b6edef1ce3d02863a91fff8 |
C:\Users\Admin\AppData\Local\Temp\gocE.exe
| MD5 | 276a98758db08809e004b2c036fc0fc4 |
| SHA1 | 260e5d125e296d4b815d000c265abec10aacc6cc |
| SHA256 | 83b3b98e8f3ae7c78fbace5a64c77d11651ad787ad394a2c441bfaf6423c1d97 |
| SHA512 | f639f9d7eb2e1325f86c3bb7057f2f2f55aece4652e5ef991317df646b85f2c09683678fd68e73d1f5ff8178839d0447d3b88607d5ea399f9ef65dfb05c45cf4 |
C:\Users\Admin\AppData\Local\Temp\UkoW.exe
| MD5 | 67f9e90ce56f545bff6fc4f0d3391ef3 |
| SHA1 | 9605ceb6aa886e2b0962aa4398e7bb4da3f430f6 |
| SHA256 | 532822fedf6d97415373ea3231cd93d2a9bc25207ece8116d90b34a72914069a |
| SHA512 | 48a6f955835c4d7b93393e712bc8b2c18955ec85bef801d1ed4512b7de4a32c7987e71e81e5136f948a1d7e512307c117f34e57c92265e8377575b278d5ae10a |
memory/1780-1122-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WIgK.exe
| MD5 | b772103a1c64de8ee90701b85037d886 |
| SHA1 | 4cabe71068884e8992203297e6c5f208f4330aaa |
| SHA256 | d9ca1d185e87e72569b150254adc2ced78535ee0a298b3178b4ac3f55ed041dc |
| SHA512 | 1e15167b559670e3ac6f30f23bd854d69b1ab406750d3dbebddc34afe810b2b73a9fd054baf628581baf49940b5d9773bbda6961a6682f7c05fc670fee408c88 |
memory/1096-1140-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AcUe.exe
| MD5 | 2872d611577e254c9391e1b790094748 |
| SHA1 | edc116fad25fb2a783eeda7bceefe352b1406369 |
| SHA256 | 59f21fd8186c720f8b94c64829874a399ccbae82614bc66a660de40e57a07c0e |
| SHA512 | 6f3dd68660b015bec53336c2b4d6c7de0fc8a528384255ac5a746f0a33c95a3b33e44fcb8ee4cb4121a4a80690e12ab7015776c8d8501eaabbcfed42c1704eb7 |
C:\Users\Admin\AppData\Local\Temp\SgkW.exe
| MD5 | 9b2b42f123a7723f69a24dde524958c4 |
| SHA1 | 73eba3a2b47d2494b929b0f5f5c4ef19d65af318 |
| SHA256 | c8bb53a816d98755e5e5cc5823098b2bb3aa9a47cb0f885856dbb64f2343afb2 |
| SHA512 | 732170557036354befa3a52692150322497add1ff4271637a056d6ca5118d450d99e5d5224942fe18a9e6512675a3237f47f5db4c4970de0f98a0f418a89030a |
memory/1780-1181-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qQUy.exe
| MD5 | 0bec895e45265734e208c277bab54af7 |
| SHA1 | 3aba1d69de5703f98e75b71aa560f28f0bb36db7 |
| SHA256 | d6f07d1b60b4fcf21940dcb698c7ebb7a57a9fa3e8806f1ad6976187d3992ef3 |
| SHA512 | 80b8082c3b4ef636bd435c3969be006843af6ed6422b16038492877b34e2e3d961d547831f192dd09991e28d1f9439ddb7c4fc58c93282aae63f94233eb3b448 |
C:\Users\Admin\AppData\Local\Temp\WwgO.exe
| MD5 | bc8fbbbd4cecc2dcbd39a8bd350a8339 |
| SHA1 | 72897e2ec210b6587a5a26e2ad3e84abfdb552c8 |
| SHA256 | 38e9f813e231be12cad1e080b8af4bc582cad2deb75c44a2eca6699a9c1b7f50 |
| SHA512 | 88e5cdf0e5b656c575cd26da368a569ec0026267024c82616a59500f1902e10337fbcb23713695a7098438ac27c85fdb3a11ab7cc02d533923092eb7fc1dbd23 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe
| MD5 | 99ff41ed946aea0586cd2c54453e8d30 |
| SHA1 | bd2fc80e4e02bfa9f2f78a7448a6416e7aa4f3f6 |
| SHA256 | 33d20ff32718928c6ef6a3faa969bb8de4c3a322e819e8856adbff2afaa21b17 |
| SHA512 | 536cf6ee42bf6e4a0a5c4867f8b3f969f6f468f6ced57ad8502ca98cb034022929d76d5110cb53250cb828cf4da85f5d38aaba8fac362846ebd1da4d7b9ab784 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
| MD5 | 725800076f19c8ae250e209419b26285 |
| SHA1 | 5171bee7ef0282b62c3311d6bf2d2c9984507b88 |
| SHA256 | c412e1b0884a38bd466b5f609a420590cba7accbddcce1ff677fedff9a0913d9 |
| SHA512 | 205d85f641ff40d74d6aeb3474b93e4aeba55af006a907dd6c6c34a565886112b6ba50a427fb28fa1b5b64784cf2f6c60facc049bc2a62d7cc855b090d5866bf |
C:\Users\Admin\AppData\Local\Temp\yUAE.exe
| MD5 | 1cd78873156dbc95219714331b20516f |
| SHA1 | 47be72980328cf9f338b8062fddef33c9f3fe2e6 |
| SHA256 | b87bbe74460a3ff0240183a3d86032dfb8238fcb5adfcec24ab2e8af28a7308f |
| SHA512 | aaf15a8a37213c6b6572d6e6d332b290e58a04a9a6535911b5350ada6620cdcb56eda2fcbb7e7de8d158d0ee73ab87268a89b9027fc947302f7914e4d966dd6a |
memory/2916-1254-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\awsm.exe
| MD5 | f298d4cd028634652d8337a4fc5bfc5c |
| SHA1 | 67ca76aca72ee0c03ee48f95a4d148275721be98 |
| SHA256 | a553b7cecda864ebf7567b7d6e000d6a916d67421bdf3fae9d64046ded341b3f |
| SHA512 | 6950d6761b358f9a6f1994d21838c3f505ac1c2dde9ca40b5c1835961a6fa752a5001067d334217d996df44783d97a798f4b7d20ea481fc10661824360dd5704 |
C:\Users\Admin\AppData\Local\Temp\yEAm.exe
| MD5 | 4c92fa1d248ac9020e86d93cb412329b |
| SHA1 | 4fe3af1c828891a56bb1df0fc737e5450c591e4b |
| SHA256 | 385862f781e1f529520db179662d5236f9762cb337e429a667cba0aef500f4e4 |
| SHA512 | 56d2e2d593644aa7784751349346b905565e2de1cb07461fb20a9bac8019d223394ec7af47264c2fe1d24587679897b91eeb3441a791b86a26efe556ac001bac |
C:\Users\Admin\AppData\Local\Temp\YEEU.exe
| MD5 | b02ee8c34d96843c7a73e3fbc12e5050 |
| SHA1 | e951843c8fe4815b9ddbd67446146500f7391f5a |
| SHA256 | 7c7a68ecb248fd1f086016bcea3ac7b277e3593708dfed7f115abb83f3af81fc |
| SHA512 | 9a04d7b97a6d37358038d868fb645ad82fafe04ee8cd2362f176465b33cb1c71f6d4ce00ec043b2dc33dfe192c60ce7b2766532d66b51ff5591189cc2428726f |
memory/3444-1303-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qUwW.exe
| MD5 | c25189b203b8923f4347d593a1bf0406 |
| SHA1 | 241bc857340e4cadcf063c1a07a8412b9c829e93 |
| SHA256 | 8b6672040e1fcd29aaeebc4d88ab6cdf35770a726b1a4df190b1966d917cbbbf |
| SHA512 | db208114652baa641b4f1cfd279ece5d5779e59ed25335216b3786d0aa38b50a18185e755db89cbbcb65693e7b95b7f12f83c59a0eb68966b5560c9499bfc358 |
C:\Users\Admin\AppData\Local\Temp\cwQW.exe
| MD5 | 836419b4420761bfc2e500ad765e494e |
| SHA1 | 254117cbce9f29412e20106975d1912610c87d84 |
| SHA256 | 69ba451b47c5ca6196f282bbfdebd48691c26265066b3cac958751c51588cdef |
| SHA512 | dc338f12cb34a7a78b51f2b4b591e7d7b09cb98277822351f57be837d2a1bdc9ea92c620ab924adf84f4e436ce26932131946c9f071cbda13a2a0ef564961570 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe
| MD5 | 8a7598ad043b526e565954c42b16410d |
| SHA1 | 607a30e51a6abb3171e75bd828710543d18c1688 |
| SHA256 | 2c26e02fd10ed5c91e32d5961984494e22865fd3d41cf2d86dfed32d567d4e9a |
| SHA512 | e8da80dd7ce77b112752a9bca8660bb59a37e5b04c2c358c0ccac547976ff5112ce3a52b90584313c75aaa3f30e75bece768ba251ec02ebaeb0ede72f4cc9ebf |
C:\Users\Admin\AppData\Local\Temp\kcYe.exe
| MD5 | 2ab8f3a332077da383777c3df10228c0 |
| SHA1 | 1b9a6a5df0513134b23399f42d8b2ec6092d9d2b |
| SHA256 | ee9f11562e636b08e2cb0972e384b97f11881c13f50b515f0056e8b091b1f8d1 |
| SHA512 | 56ca25ee88e857ecd70b47e90707cfe0bc303bd4bb1f41f787a9323084ef2d37aefe9a44adde3bcf04d378a3176e51a46b8bd4ac69932be377ba0a9756905b51 |
memory/4872-1381-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uwcK.exe
| MD5 | 3fa41a97ce18159f5b40af3f219d6e71 |
| SHA1 | 45be5223f5568edbcccb7a297a561ba0cd61d24b |
| SHA256 | 425d8aa6b79f71e24f6435d3d9e2a448d06b98a1b71588dbfc5160f78ebb859b |
| SHA512 | e3ef44f3fcf215b51308a06574bb79fa5ae72653932b9c8bdd2bcdc6bccc34428ab2aea552caa7a6002b96ca7bd61f7bcb0f448ad7f2153cabb2aeb99b682f09 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
| MD5 | 35eb3c474ad7d28cb419dd2b8ccc5d9a |
| SHA1 | 4f4b615c9e8a20bdb5f892e48a20aa017e5d2c03 |
| SHA256 | 20ed1cc679e119c172eb686b839d1057ab9b828574619e29b880143a6b6bfdcb |
| SHA512 | 39ed1164c8badd5ec5390a286cf2d23a1893bb6300344711034c695acee6bdd0bc7e0c0d0cc5e76179a1c3f05d891a697169c64b1aeed1d7283ccea6a3a551e8 |
C:\Users\Admin\AppData\Local\Temp\kcYI.exe
| MD5 | aaedad7c4827b1572c8af941b9723114 |
| SHA1 | b2fa62ca50146f2a7016c1bced58c7bfbead2a78 |
| SHA256 | 80569128de8ad4c5f9c4d7ef5d1ed11066957337b281ad434aa33f2dddc13204 |
| SHA512 | a6fdfe8203d3c463cb8c38c819a181a58adaae2e7233ef19ac094820711512bf01bac485550f90b945a46528099e621c8dae4014c28a266f16214f6d845041ad |
C:\Users\Admin\AppData\Local\Temp\Eswk.exe
| MD5 | 0965622f11b0f3cdc5a6453c5bc3489f |
| SHA1 | c208e4d2abe823fed434dfae159d6b066eb03f95 |
| SHA256 | 398bd3a88724d36e70206e5871323db045516452035a3cb1d2000125a18728ae |
| SHA512 | 7e3f6fcfcacf6dc4c367ba221bb4707dd55dc31a5673bd4dda2173d0041b26c98dd62ad799493348cd947efe76dc608506c25d68991798beae44b80e9ff680b2 |
C:\Users\Admin\AppData\Local\Temp\IEkG.exe
| MD5 | 98f550067b1961860be63842357783ca |
| SHA1 | 6822e568cf7276f3f1346f700029f146033e6626 |
| SHA256 | e159d04dfc99cd04c1aa963c7175980fe548c1ca9f7fe8ce68000a2190d10f45 |
| SHA512 | f05d9fd80e2d892f3fd41bc048f11f0b30c5a8e3c93961f8a0b37d3c6e769026cf03c2cb7fd38aab0f17c69099f77cae4d5affa245da04093880b65a2c6365ed |
C:\Users\Admin\AppData\Local\Temp\iYca.exe
| MD5 | 70b60369ca3c8861f8bb9de409565e1b |
| SHA1 | a7317318b9f29079dbdc96c57993d894508e1d4a |
| SHA256 | 427d529b87802c8f9669fb1e06c30927a9757d9d24625380f7ef7675ecba0776 |
| SHA512 | b23394ca5ac6648739c4603e3ed8315decec432ffbaf0caa3ffdcbdbfa3d56209b69250d7663199cd77b0974790f814e5a30e727d48fd99887693453ff08a53b |
memory/1088-1459-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2160-1473-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Oswk.exe
| MD5 | 603bb3210371e0b3d51529469a546d41 |
| SHA1 | 150b20689e2e83d215ebcc188b1fd3aa68794748 |
| SHA256 | bb657b5922028ce9d468d078cf758fa9dcdb61cf53778cfff8e325b03e35c180 |
| SHA512 | a836769021469d56e52f2b336ff82674f36e819d5bf4a75663dacf9a53b02786bff8ff3a91ae8a8a9161c866ee17a8875144c2cbddbc2ddaaa2af02762909000 |
C:\Users\Admin\AppData\Local\Temp\CgcS.exe
| MD5 | 2a0538682a07a563647c482463d95942 |
| SHA1 | 531733750ddfe55a5020d1b0f4134bbe3294efa7 |
| SHA256 | 9612d0f59cbd1b70aee0f256a4f38e06d7ada25e213353b5bb2d5d9bda4dc2c0 |
| SHA512 | f50a3bdecea034b6e20a564c94196aceaa4bc16c1a099148f26baab92fe893d081a96a089438260698d0c6d242599fe9610a12e305d98976e288f57bba1bd280 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe
| MD5 | 329e7dc6c3403974cce7c3827ca84fa5 |
| SHA1 | 6f07459ca53c1bbc5c78e4857be5f0cc16d2b4c6 |
| SHA256 | 8e2f90ca069f5515474d01250cd968849999f0a9492cd77f0096f61ee5d58087 |
| SHA512 | 2339211739c93aa7e6be0ed3c65f11ab4d0ef6640d3e6428522a82755f125e72a184561bb33038d170f7a5e284691d8b17d88d0131ac8bf5b97470be5b7a8219 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe
| MD5 | 214ea6e7f5bfa777485738cf19dc6225 |
| SHA1 | b5c16f2fe5b47764b25e78dfc569745c4aff7788 |
| SHA256 | dc1302ead2d1ae62490b42f1b63bd3e525b25e48d3d8784d7b329906f6740a41 |
| SHA512 | b7d649eb96cef5d5986061aa6d0377c39bbbae73e904e61cd48a225446f44700f753ffa13964cd93ea7f60555b87c32d53c99659a5e9158b6f6fe3e2183d4b59 |
C:\Users\Admin\AppData\Local\Temp\QQoK.exe
| MD5 | 70c735f4865ce92ab22699ed2f78b487 |
| SHA1 | 6a6fe18202df81d423b8ce75461a3a62cace6f60 |
| SHA256 | 818af31871eb7275ebde555e2a4b47492edf322724fb8dc7112fd3305e362f4e |
| SHA512 | ac698115245aca9dad19d9224b448acc679e76cc662a5bb7ef4f4282aefa81c7359386f8791559bd7e98eaeb49fdf13c68315a6c8d94dc02b6799e6e70418389 |
memory/1088-1537-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mkQI.exe
| MD5 | 25354fb7336c8df3a3e7fdca8bac2e0a |
| SHA1 | 4c64c9b9066c19d2074404f55922b080a07669a4 |
| SHA256 | cb3567b38f8ff9308f9fca84b04c2f462b055bdfad259a408f6fdc1055f006db |
| SHA512 | abf9329d13ddaeff0297c41f4f3b89ab77cbaa2820be770cdba36803ef26394dd953774de70f5571179eec0c67c0cd39552d7205dc941d3d57c228216517d499 |
C:\Users\Admin\AppData\Local\Temp\IoMc.exe
| MD5 | ff862e1ba9d46ca1dcc3d5e259d4ce28 |
| SHA1 | 06dcfe2f3dfc9ee4a33203f3df78dee3561f89de |
| SHA256 | d5be73fcd2a3f55e5e1d20fdca3fadfde8d90a576962fe6f29d032b206e1d17c |
| SHA512 | 8397923204721bf49c0b78b2d1dd3e20c173d6904d257168a449919f477d82666bde38954560a4b41d70dbba2e9af7ecb7a1fdb265fd4843b826176aeecdda97 |
C:\Users\Admin\AppData\Local\Temp\GYUi.exe
| MD5 | 1835b52e3a2b29fe70ba4e862623f706 |
| SHA1 | 5913f51e9cc1dfa157d5a93a8cc95e3f6193db1e |
| SHA256 | 68b8aadd7d54bea920d151fa62ea53fddd95e6594f1d2de2ac4c7c9105679074 |
| SHA512 | 81b70c9d571cfaab5f597dcc398bd41bf203ec55aee4e39015321d9fe7cf3e14d80bdce15f675951d2bca7a3fc1bfda161846cdfcf8590e150d06d0f804da4e6 |
C:\Users\Admin\AppData\Local\Temp\EEcw.exe
| MD5 | 56f750feeaf37bc276f8ef4869b0784d |
| SHA1 | f60180190f629c414071aad381db0014a118364c |
| SHA256 | 324a2983fc2a0cc94e53145d63e4f9343429718bb9310638e283b9f284d55fd2 |
| SHA512 | 85a1f81450e12ef69a42fee84254097ad054fc1b0980980f0d4bedc3de1b233684dcaf2fab5e94a35c190773be69c02bb2a447cee69a54e1d2b26d33705c6dbf |
memory/1228-1601-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AsEQ.exe
| MD5 | d2b8c4c8dae6522f941f1ff4f0e2a18d |
| SHA1 | a7524da3c852136fa01d573159e4bf6a5b50f170 |
| SHA256 | ca405f5f0b886a2b8904f76e73a9aefd00004acbca9346dec84bb3e18f82fc7e |
| SHA512 | 6d46f35f6a086a9156075c01bf2a8c5371f5523c88052cfe1e70081d6e072d3d0444df40b8e7ba6669fe0ec7850b684220e44bf3f6869cb6e4602d31e38b1f18 |
C:\Users\Admin\AppData\Local\Temp\iAIO.exe
| MD5 | f6ac2b2c601d444352789291cb722196 |
| SHA1 | aa093422f5d9235758522c041ffa00e1fec44ece |
| SHA256 | 7006474cc622d7d5b2a01ca9acc3ca2085d091f788e0058c2012c9d463bf0c7c |
| SHA512 | 8061170ad74495ffb9d1922c9cbec31ce47883a12fed0fe71bf46e7f24cb0d3338014dbb7166a15e941a4586d860b8b814b1be9f235646dc86f57723c6bb3763 |
C:\Users\Admin\AppData\Local\Temp\msoy.exe
| MD5 | cf419c4de6d62a2a41572c5bdb0e87f5 |
| SHA1 | 78523e0a2e7088de0517d95ccab28fcba0c2db27 |
| SHA256 | 0d05f8e942964f0d3ba8aaa034a108eca93a9c463857de03a2785a45e4bf498e |
| SHA512 | 927ac93d414d779c846402c7c10ae3461d6cb33bf63c3618e4903f700eba2c47639af528abcb533762798367c77ef063a1ee2028947de9894790ab7cc365925a |
memory/2008-1651-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GMUk.exe
| MD5 | 7f0e6ee86bd944f9c651092aded956af |
| SHA1 | da541a4aed51b602897fe1a020679b8b38f1e912 |
| SHA256 | a3ddb4b812936b8c9d80ace04e2aad64702da5f7b4631b5f069087e03aba6c69 |
| SHA512 | 81be4191f836b8f97bfe081ef677a43142cbcf89e2fbd1013339965b12acab21fcaeb707a5d6cedc2b16cea5237ea8aa8083416ddb4cf9ca12e221db08a308b0 |
C:\Users\Admin\AppData\Local\Temp\EkUI.exe
| MD5 | f5894ab2faee6fbb4aa2af7e1acb361a |
| SHA1 | 0acc6142288506902af63ea2486354e609880af1 |
| SHA256 | 36eaf2efcc173b4e1f82fc32e8efa5aca611635a3226742ab1a8c343eeed84c4 |
| SHA512 | 5704ca35b9f5a3ba416c306a66e30e9722fdaa00318c27844c82d7e9ed76a1b5c1deb0f5b4526429c262149daa2bda68a8e1745232c597e6b5447859f7ad90b1 |
C:\Users\Admin\AppData\Local\Temp\usoU.exe
| MD5 | bd629b1a1a940cad1b68b9f849323295 |
| SHA1 | c02562057b426fa2c190397cfa0112ce1efe80bb |
| SHA256 | 5e0c5daaf38877dfdc0fbeff21807ed048824fb1f03965bab2deadef7df0e5fb |
| SHA512 | 96c00b10c28eb53a0f25031aec6ea1758f042eaccfa3b07be35e29e71ad4bdf5c84d19292ad7777044f03d8d5818e4ac29997976528c73ae8782dfecaf3461c7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
| MD5 | 0d4310c4b3fab45c8233d590bd3a5da7 |
| SHA1 | 66671e14f085c01921f9b30f0e5c3af79924d6b1 |
| SHA256 | 6eefbdf4ade66f015dba6f600475beb92f57e46762746ddff80624912b5e82c2 |
| SHA512 | 3eabce6d9adf331e3cd4c432eb639d87465f3d095a5c14e8f9e1e86699111cc79de2d8c8d1cfbe92f091569857492ebaea983ac79806c72327d302b43da84ff3 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
| MD5 | 04a906f79f8a1bfbbd217343b9fb0e21 |
| SHA1 | 5ea930e302ee75f406ffce9a427cf62c7b9e0969 |
| SHA256 | 3ccf0f2d1a4e4b2db927db47764487930ae1a0cc5f6e99737cae5ff9ecd7ef89 |
| SHA512 | 32fc124291917e54647582ef730f49570261fe24248d386255cbebf1ddd1fa1d0b6acb58b2cd2e6a4379bb7beb7551e1b1b06cce2fa1aef9c0cbda04521d3dcb |
memory/1872-1726-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3744-1730-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mwci.exe
| MD5 | f4f110f0bdffd7892137d876c67268cb |
| SHA1 | db9f3f68f7ee934404d26b442bf357f869148ee4 |
| SHA256 | 4ef058eb6597e63e9ca2dcdec7aa79e2c6a55c4596af16b8e6ca51e3cba15d07 |
| SHA512 | 1b866757e6db1b8b139a9d33716f98cd80ec6e51bae0b213f71508e8f98525760cd59db99a6089f567fedb1c4c7ae8c1b3fb1a3cc575a25873f0167299cbf01e |
C:\Users\Admin\AppData\Local\Temp\KYMu.exe
| MD5 | 61d70bb0f9c03260fe13d0cf7ae56acd |
| SHA1 | 9c0ef6c4aeeaddd1646b88f05865d130150a9183 |
| SHA256 | 1e3fb064181f5f8eb885728b220a1b094481958595a297d0b473fd6fd46264a5 |
| SHA512 | 02a90d14d4b13d0c5f95686d98faedb17ff9ab6679cbceb1aa6a58480074b6cc98e53768d41db4c7713be9af9796b144c82960e49ef97c7e42243b39fc097a8e |
C:\Users\Admin\AppData\Local\Temp\wMMk.exe
| MD5 | cc79e3d640bc6e13127a1b5e91590813 |
| SHA1 | 730ede751b5e3e686a1ec8aea7279a1332387761 |
| SHA256 | 5c5531ec6c37368a7e10a66b3a488e2091a41b0e1b51334afaa18335dcdd4d46 |
| SHA512 | b4f3c8c021bc92ca2854537e37d1256de94f823c1352eb0942f1266eba8397f08399927ce129e8cd0a859e9bd673784864013b7399c658e52addc82f65c09f3b |
C:\Users\Admin\AppData\Local\Temp\sgQS.exe
| MD5 | a053d394cd5114ccad7e571fda164958 |
| SHA1 | 6937ba480215196ecd5ca904a095ea858bff75d1 |
| SHA256 | 2943910bbd5922dfbcbf9af6fc208b8756fedf44aab85af5cf5a5cd65182f024 |
| SHA512 | fe038e6a1567abb2d28930c1e4e0ad0f069dc262d76602eca1de72cff8b0ebbc06baa98a5ce13caac1635a6147f83fcde5bac0d3ff138e820cc4072873730dad |
C:\Users\Admin\AppData\Local\Temp\Ogws.exe
| MD5 | 4c413c296c64d8c073cfc683c98a0bd2 |
| SHA1 | 47af5d4b090e8bdb05faeb454dd60edef5aaa8df |
| SHA256 | 7f8805e4c55aeb08ce4a0b4cde665b7be23ea7e68765fc099053ea5009fb06a6 |
| SHA512 | 1249fc010dc78368034a6c2ffe558cb7e4599ef18697106e97446e469f12d70d5c98d861020914abdddb4525a79f7647f246992e0a69dc5d56720d90540ec4b6 |
memory/1872-1798-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4372-1809-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wksY.exe
| MD5 | 966567c118488254370c26b6f96f3473 |
| SHA1 | b65c08ae7c6f617090de0eef5e4cbc75b97b0a0c |
| SHA256 | 1549914803403d7617330ee5feab09ab3260c007d7403d8e05ee016bc95887ba |
| SHA512 | 2d201a2b4c2487d49a84d160805569e38cf6a8a509fceead43d22a7d1769ca50f6c8ea41e4cc0ae2638c4a586c13b717ce33db8c38be92daccbc9334714a5bb0 |
C:\Users\Admin\AppData\Local\Temp\QEsq.exe
| MD5 | 4f900454dddcdbfa13276d35ed803daf |
| SHA1 | 3022e612d2c55bbfd0c04b018ab7d6c442b79f41 |
| SHA256 | 4b9b46f8d6e44d0431d477314fd6a5a64d78381cff238f2b2f48bda47475bf50 |
| SHA512 | a25704679e5f1bb448afa1b550b7c3c999ca78360c67a1ffc7c8273cc49e4405ad24ee884f4ea88d0d30f62b637e48d97e38b39710827812404e2e4d28833d61 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png.exe
| MD5 | e5e162b1b40f2b1bbe7d858ac82c359b |
| SHA1 | def046e3553761e929ba2a85896131188c518243 |
| SHA256 | 1af269d6ffe3b259b55ef237bd4b2e5cda646409a54c0db49aeaf167bad1df94 |
| SHA512 | 4f75edab74ad2fce5c3f1ee9f23b3e133aa330b0c13f724c0fa8e48a7f75c9ce738746754318a9311214085c3e80cebb7dccb551a519f79442bfb7ee2547fc4e |
C:\Users\Admin\AppData\Roaming\BlockSearch.pdf.exe
| MD5 | acf6a66fad691e1592832ed717bbad37 |
| SHA1 | b7ac80d0a9797771c35459bddf0429b33fe5b17e |
| SHA256 | 23c63c25ff2aa265aee2d8fb755542dc2513257a595ab0cd9fe75eca0199185a |
| SHA512 | cb6556c932e2ab31053cbaf2a4c2170d85696cbb5d7b50a74f473d45ce982e4a91ec250e32ac426d3e2b048146a6b3d297ba86e6454248baf43a8d136701b51c |
C:\Users\Admin\AppData\Local\Temp\GQgE.exe
| MD5 | 0a64187d27e52618d9a6a6c421477c3c |
| SHA1 | 39d51468432f272cc0180b142a761bbe9a2476e7 |
| SHA256 | 1fbac5c3e67ff3b3840a08b5ecde8b203264fae9417ba279320975c013c7a861 |
| SHA512 | 3f2483bdca945173ea5b6ecdf946b6a2b5a5a535c418cb867abe57ce6a1ec304faf04fe774e746b6ac40c542dc01e5583b00ba75dc62ed1a88b44db20b0895a1 |
memory/4372-1900-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UAoC.exe
| MD5 | f34b4994d30a1db9812c0dcb8614bdb5 |
| SHA1 | 634616d190daab88fcf145f5fad0a7535d5bd0bd |
| SHA256 | 8bef696c19e90f1dc55b42bd1080714fb6417db344a85d41c89ad69f246baabf |
| SHA512 | 377a8f826b0de50f7a239d8d26c4987e5cd4802ebbce8006e939abaf75943b7638e57449fb9aeade081d27b2c32c64f1b28d8f46ef50e32195aef5282eba9156 |
C:\Users\Admin\AppData\Local\Temp\AoEW.exe
| MD5 | 05721ee6256cfc15a6d1c3db7dfb54ee |
| SHA1 | dc7486b3a3e178feee5157b076e6db07eb4db2cb |
| SHA256 | 3b3d031a9518078d0aafa16ffdc49730cc5f0e20b11717b4b272aad33377f12d |
| SHA512 | 43174572a700c7e111a5ea803769ce9ce59e9409e8b6a3fdd4ed9f0299ebeb8941ac1cb9f7d2324ff9e63eb4849fb3ee35a889580644c48787b8a289bb28b2b9 |
C:\Users\Admin\AppData\Local\Temp\gYsi.exe
| MD5 | f5eba520ce3a11f5de241f3098a6d89a |
| SHA1 | e41065a7c94494cc1e9c68d700b7e695089f6be3 |
| SHA256 | 8f57f308095e6143f68836428133b3bcceffb6fa730dcf3a0bb0074359e62c75 |
| SHA512 | 1aed951638551933ec3077e7db89f6d49a4f49c4c94d870dda27b2ebc81dcc3294bb8c816c1c799fb0e0c7c0e958d15ae3388dda4dae7fd808c17d06ae1b7bec |
C:\Users\Admin\AppData\Local\Temp\SMge.exe
| MD5 | 35f7aaa8b5bcc0df8259299599df7342 |
| SHA1 | bab0c03af3a4dfd8a0e55e1252cc52bd785283ee |
| SHA256 | a7d16d70ed71d2a9e2e3280b3fa51d01a7104a848d424abcda1d8ed29252ef66 |
| SHA512 | 58eb82ee37263ae8adf5973397eaf8424981a259a7626465a7b4787d8d83354c2a3dc0d69754a3a316abf5958a3892b2f8199eff0320d695580903926a84c686 |
memory/3784-1950-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eIQq.exe
| MD5 | 056ecc16009951c60aada5d445851613 |
| SHA1 | 1aa5bf912a6cb8067420afb7be8984870d21bee1 |
| SHA256 | 0f0c913417cd895135c6e06385be52f64a6eeb0b4ce083e730c4ca12460cb109 |
| SHA512 | 381d52d93a37644e0aea6796c3f41348acd85efe27db6c6a5b5c873669fd0822407386f9a8c75ce6103042b2a4c0a7eb85338d8e9e90537816a25d28b8628662 |
C:\Users\Admin\AppData\Local\Temp\mIAQ.exe
| MD5 | 2b62d6831a2f7fa70d5cc71011152876 |
| SHA1 | 2e9c7fbcaf04307ef2bebc63d385046e406c9b54 |
| SHA256 | f3c2408fad2c845deed454201f91a5065353e22dd83cea12726771a692f61c27 |
| SHA512 | 46d714a7353ba9ffc0beeb92b415cb6150d1cfda3dbf849cc2b2fcb19cb0eb2024f9f723592e3cfb663d4a0322aa93eacc5b8dd8d586bcdf025e8cfb5df23f8e |
C:\Users\Admin\AppData\Local\Temp\QcEe.exe
| MD5 | 7eec8d61cf75a13525169cdcfec2aaee |
| SHA1 | 9740c42972881a063ec02badf625103c602a69f4 |
| SHA256 | ccbde297869bbf5bc0bc66491f5713b5bdc9e5a7b7e1d27180f82cdd693ce3a7 |
| SHA512 | d2cf59e5af9558054d1b8391dfc3f6d8be5df32baddc480b650e0dcc8ca54302d72b42e09a3f994621fb3d2655807ac364917d8bddd8434286b810ec5e2e40f2 |
C:\Users\Admin\Downloads\EnableTrace.xls.exe
| MD5 | 7765d08c86285dd1650fd6451338cd52 |
| SHA1 | 1e21c58ba404b1f29893e4857012601d4a4f225f |
| SHA256 | 50b7372ee2f6003bea67595431e37645ebc0c59eaa1002c91f9e0ad28ee3c2da |
| SHA512 | 004b7973e439a1df0bb0f0999ca5507a0f60fd2ee7229242d8553821c83ae477193869adcda7e210f7eee65516627655f6651474ea37fffae568f761dcba8f1e |
C:\Users\Admin\Downloads\MergeUnpublish.doc.exe
| MD5 | 42135bbccedc25f2ed97881dfb14b7fa |
| SHA1 | a15fcca9d548051a5f4c5c7a45dacba1bdebf83a |
| SHA256 | a6c3ce3fe402dac88bfb66c58050ced509ee1815a09164f78bd37d925135144a |
| SHA512 | ae29ef2d58709624edb500e9d51182a0f84ad07e2882410de50a6fb6c7a4cde7f86aad64e910eaf4c593b710728fa49c6d9dfc1906d210d6c7758d69cc49ca11 |
C:\Users\Admin\AppData\Local\Temp\qMEw.exe
| MD5 | c6fbb62c8a25bfd8c12436ad4693db50 |
| SHA1 | 521d75f124058fe45912c67ccce0ff2922c2733b |
| SHA256 | 49c3c9c19b924e361f7be7f4f2da1f73110028c6dfec22f4b1b5a47f0fa2b7a4 |
| SHA512 | 06364fd1be8863b62cad70c5e24d54d7a3ae7c24fb0282634ad4e436823f97cfa20be3ee10b0b9dfd66e1fb54d2943150fa76eca4f0ac18ef174b2049f769c88 |
memory/1736-2042-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AssM.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\MgYY.exe
| MD5 | a95c516469d1225f7ad2ff9c531325fe |
| SHA1 | b31a9393b857d5e7a5d335601b34b0913daa5e25 |
| SHA256 | 9df7e25571f102f2669fdb1e4a22f352015280f396edfc2d1e18927b46f9454f |
| SHA512 | e6132ce08194dc46800ec07bc72a68fd328b405be57d2dc4f1cb5e52978dc08dcb3a5a2f158bc5933fe0cce8bf8c5d69807ccc8c797b7996c47088db308a5fba |
C:\Users\Admin\AppData\Local\Temp\EYsi.exe
| MD5 | 87569eeb4ec6c3dd498db2ddadab37ba |
| SHA1 | a5e8ff125b647fe8ce2f2132a49673558aea5287 |
| SHA256 | 228d404393036df75d4bfcdd61f59cf57c45ae30ee81e9927c0acc9a847cec5f |
| SHA512 | 913c7980b1b2663e58cbbff80ae5dc16fd2e1ac02044407170a3e0b2024d39aab4eac5a275f116eb9b3fc1548ba48781448d020efcaeb851a85a5a1f6bccc20b |
C:\Users\Admin\AppData\Local\Temp\cowe.exe
| MD5 | 5a022becc1092b9d0f5e96bbc68ca0e5 |
| SHA1 | 95c7883ace756364590b35e63436fe4dd388a6c4 |
| SHA256 | eab92a5830ee07c16b9eae3159eb83b5fc15abde8e188e7cd3c52df09474165d |
| SHA512 | 07f4c49d66e9bb49284f3d61cc67d91f3eb88395b880d37ee93a31fa0c2e4ed478e79a200d16580d1b2cdc8ebf0448f4bfda799a2bee11c0a2176d74e9bf49a2 |
C:\Users\Admin\AppData\Local\Temp\AEUc.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\YAEK.exe
| MD5 | 44c186bf0afc313d755ca3f057b1eb9d |
| SHA1 | 238452ba3eb890a74bb69ccbbb34520c2bffd6f0 |
| SHA256 | 141f9ca5f151ba284823578b53c3c94950e0ee7321898bab669cbd29b07feaec |
| SHA512 | 044e35c7af99daf44c152fafc3f53ab3200ee621f65973a92a7afaea9612d351b3f5a32d0e1c1839bea4f4dbe1e8c5658909f90ef40473dda9312930d5c880a2 |
C:\Users\Admin\AppData\Local\Temp\CAoi.exe
| MD5 | 4fab98f17c6928379b98cd1e0bc468e4 |
| SHA1 | dd5d8d1e0b2aec26701f71b4e5188a763e71429c |
| SHA256 | a3df109d45103ad9d4953962f38feac847538f3ef07e029c161134743549c87c |
| SHA512 | 0d881a0431b7c9c27bf517bbcab5661ac18f1b477a871a5f373abe9a86a89856977a7ec5eb449fef66eaebe8daa18b3a967e6745652dc35b748e4542d8c55fd9 |
memory/1548-2120-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KsEs.exe
| MD5 | d5815ec1f2c39466e354030a49086a49 |
| SHA1 | db8f2b92fd310feb9b1f1b9108402d7999cd4c6e |
| SHA256 | 315719e9608a71ad080a828c0a7165431e79e8d4b1c3557eeac5aeb451c581c9 |
| SHA512 | 1699da9b57a7b2688f6320e4a5f8e73b2cef9c27804d4487d9b26b9ada259bf0ed377673f5998d81589eb1ba8c939e0846935880fb76218b45188e0e46225084 |
C:\Users\Admin\AppData\Local\Temp\wkUE.exe
| MD5 | ddb3379e7cf7cc2f578df8706d96a283 |
| SHA1 | a632a3a76f9335a4bb358382d9f9bd8ef4448cd0 |
| SHA256 | 463e0d925e4fa124c010e3ec5ef8dda6722b274eadd870139c8ba19fc8b05956 |
| SHA512 | 0d1108208a1966f4b9c66a457a5550a8a1941dcec215976f390a150c154afc27eeb7ca4b3bbbd2f27514f56f274d93733cd4c03f2088aea961316b99604caf76 |
C:\Users\Admin\AppData\Local\Temp\Mwwk.exe
| MD5 | 0920869e9b64892e477434f53b7de38a |
| SHA1 | 9aac907e1f094feb56f5e42aaec7e2ffd5f7fa0b |
| SHA256 | 9c7ef0db2d73b04119055df39ea9c5fdbcde5bdacab1b8c5dc845c2ab44496ad |
| SHA512 | bbdf0e22622b3b5cc801a1aab675adb1ab3ab405ece675f1a89552eab230afea21ec068bad5ab7085d33f145a340162c6bf45a9b43790a04b5b08f58bdd256eb |
C:\Users\Admin\AppData\Local\Temp\wwsw.exe
| MD5 | 2d0cdf754c0bf93d186dfdebb65d7aff |
| SHA1 | a5e0496ab66614981e90b0df2c3a4ea73c9fb204 |
| SHA256 | d4c81baa847a2b3cca19e9cfd996d3554671afa88df6ee5b4e10661e41b2aaa5 |
| SHA512 | df8db4d7201dc3252e708195b8d4994a284c2b79bcd02d1ef768dea3355bdcdeec630fc222175a611cef8efda035953fb0fad704e89669fc5c7c84e1b64bf6ef |
C:\Users\Admin\AppData\Local\Temp\UEgK.exe
| MD5 | 22be7021e972371aee27e4d95475e371 |
| SHA1 | dce5c1770a057b8c913f8576e8200c82e86321ca |
| SHA256 | 96acd86e6bd3d7b4b439460dd8d2864f5ae5f9c39693c40bef8665c9d89e1847 |
| SHA512 | 1a3f3de80001cb315f7f607257e9c985b91129dc723e898b99298d51e7aae00a34c09fcbdc08d0f0c3d090c97c44216b719d1dd6eb02ab374141f8c24de9e54b |
C:\Users\Admin\AppData\Local\Temp\kIwo.exe
| MD5 | 0459103d749c585acedde812898288e6 |
| SHA1 | 482f51a8bc71631e8e92db341cdcf40d3d5b72c2 |
| SHA256 | 2ad9d5669bf7bd7c032362d1265deb7da1a94c2691788fe10d6837eaaf8d565a |
| SHA512 | fe393c85405814ac47e352ba8b1de034abc7a99a03b796eacc266134c3e06fa629490d46f9a954dd05311a12b4197440eba105c21e43fbc78d190fd25c71eb1f |
C:\Users\Admin\AppData\Local\Temp\Skcg.exe
| MD5 | 4a45568db7cc8478a64e08fb1b500ef6 |
| SHA1 | c419e4feca0c8b5a2d3a2feb6d40f9f57923b143 |
| SHA256 | 1dd48100f1b92a6a4f65db0bfade4943dce59658a62aaedda09d25fda5aa8580 |
| SHA512 | ba63458dc490e699d7fc8b4dfb3ad38eb3ce578406ede842060a10a2d12a4bf83daf066c683448d7ebfd489b2060e8104a9dfc1e45ef3a1d21807266812d05f2 |
C:\Users\Admin\AppData\Local\Temp\gUQg.exe
| MD5 | a56e396de3755b87014c9089b3fecd55 |
| SHA1 | 3895e8f5fd6efb6e820058049464876dcd734f6f |
| SHA256 | bbdc8618096d0a748778ad37aea030ea77cd4e0c032a83485ea57beaf8093367 |
| SHA512 | c79cd06031f9e3aa39a4a8fb62c3b2257f43dba8d5acea7b85444663b9ef7572e1b3a4af4ffbc49da465b50bf4119785aac711f402f985e0a316a518fa241a87 |