Analysis Overview
SHA256
a5d67b8afb9232fb83bc663391f1156bcb674e7af3654e9f394e64517256ee1a
Threat Level: Known bad
The file 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (83) files with added filename extension
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Modifies registry key
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-04 02:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 02:42
Reported
2024-11-04 02:45
Platform
win7-20241010-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\uQwwYssY\fuokMwQA.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\uQwwYssY\fuokMwQA.exe | N/A |
| N/A | N/A | C:\ProgramData\deQcUYkA\oisAcQIo.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oisAcQIo.exe = "C:\\ProgramData\\deQcUYkA\\oisAcQIo.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuokMwQA.exe = "C:\\Users\\Admin\\uQwwYssY\\fuokMwQA.exe" | C:\Users\Admin\uQwwYssY\fuokMwQA.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oisAcQIo.exe = "C:\\ProgramData\\deQcUYkA\\oisAcQIo.exe" | C:\ProgramData\deQcUYkA\oisAcQIo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuokMwQA.exe = "C:\\Users\\Admin\\uQwwYssY\\fuokMwQA.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\ProgramData\deQcUYkA\oisAcQIo.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\uQwwYssY\fuokMwQA.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe"
C:\Users\Admin\uQwwYssY\fuokMwQA.exe
"C:\Users\Admin\uQwwYssY\fuokMwQA.exe"
C:\ProgramData\deQcUYkA\oisAcQIo.exe
"C:\ProgramData\deQcUYkA\oisAcQIo.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMkMooow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwQoUkcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DsoksYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lMMoEIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCUsMIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMQYEUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14932728641467514138-205602193665570017100880403183119889-1087818994458105268"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcUYUYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BecUMMMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KEUcYQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-46939207-781411805-5892886841992105770880779440-1303059718-8382074891345423306"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AMcwcoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3971202406358612811987235153580885667-1643063989-17341747705642550391401975424"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEIcoggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MyksIIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGgAgQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyUckQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwUAksYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\twEMYgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PaIcwgwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8376044542079045834853452266-229110827-450551430-10742463618200623741957326616"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwYIcMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1161383528-8156688991013165193602941478-1856001242746601975397426929-1429237585"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgMkUIYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wAAYocIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-206718582-264878898-10108525482092451512320189081-21225333941821590904704406212"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1497616011-964222482-186200841-4637779087904956576728394-512779111178608661"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQwQgYoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGgcgIoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eUkcIMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCAggkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TokEAYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2138062487-594979514741608082-2045167221-1828202307969667455-85113900595818904"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmIcMQUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUEsAIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1892992993608353935984647558116559069819924965601599973850708965727-1062792586"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCkMwQss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "663879068-21282464842134430312165928234-340916011-1140032152-621497999-1311015630"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EokYwgAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6550456621684173319-1760146177-1662639372-2001302591-338526274-1391919112-1888457555"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YikQwEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KyAUYEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WoccUskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\icYkEsQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGowwYIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xSQUYcog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XigAMogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAwIQMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1116302735-211548672-1185949739-2130050873408088059-51855742863523841254914278"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1884563626-18841445933064445771094941757148847083-1721701396-313700848-1644502807"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwUswMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGAIMUMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CmMMQsgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEYUksAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEowEcQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-644079061487747681939689717-376655163-30566689-934334039-219493830-206943592"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wOcIQksk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "425069173-3460543-3467000241280253477297651352-1269683848-320898690-993661807"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14984056051629135268-1672928652-1962855405-77218443-15129832091146416798-1655834774"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eQYkQsog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "689447349169734398918360982969742710341039908529-3690970893569461381708268302"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\liMIQscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-110267257-153608372516050318352800643161813593764370372395647042973-1075351013"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCwMoows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "23592277-1250302504-1234454147-69192797-743755741-938854262-10088547661945209418"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2122355546600918189-1317105912-628978244379793604-19471131541035462602-2067019041"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rUEQYAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-56860307474972008011748909183150226431541840684189500651625232815276624921"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIoocQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "514211914-18098096331083479821-1223115333-12242571616636087191760373197-1893099601"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAkYUEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-104845726571439053671974441520152046691732240263-20927652534705727641266793984"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1773588934-1558681291454770402199155448-610562062-5223091171863409987664989018"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4142502421980395266478756476456202661-12963701181043026589-1000537349390899478"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-615448818507072026164472463014326813891743744566-667712911552163218330368993"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LsUMUQgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9500418271085887660-1775164546463361654-237174030262245442-3047706601662520649"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\smcIUwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "457263549374091603-7208204161339396844899552201955005842-11584013861491669943"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1913248762-18866840971253541629-391485089-1097371363357609349-94610987682991704"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UgcgkEIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1125176217-1094153383-2125835821403176223-1828515576218198532-1821562604-1211377842"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1360308085-87479593489714781874031601-12128506891060587139-1230637491164877871"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-24683528586493001412762247161583470932-72229534015939083794784049701022664419"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eIcIQsYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "156418717317642325481063039664316095959-2046945035-2267572011355193491-1954595420"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-628715301097148886183782572212555715104571420581302854284574709179304190614"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkcAgkcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "38266161-84305008917298520801531726486-1634652320276960406689863611-113718903"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GGkMQgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "910121990-2069797105-515476095201499283855225014-10823322841618152621-1990931675"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1335466991148491760-750226663-1868455466-21061802521323182097-4377189271183474765"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-275269675-532413763-1469180970-1465412325-21205732261418729802-9437590941154713205"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqYUYscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-285545042872627443-909840795-220551454-1900147695215807814-13145260381981016334"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xyMYMwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "316794083-8741547142810736557798960582045965189941497871-2909633031990879622"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DuAMEcsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1361479000901570966-664725831254295130382697826122230220298227-1080720519"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1207021797-925968769-1808564689-135339600817208714941394564470-5614970881024316540"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcQcgUgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "486789739-772399170932069889104841442817297543181290135647826578005-1096841921"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1189987254-1069628007-638560381782243700133960187619237659702080346988850083803"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1037945545-369270556-18049413441632895941-1938585924-30996188564975288-1118636117"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMQwMEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "112933710713779807691848564904-103515264918773367981169080449932544136-1221623819"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1860697473-672741707-1109361910-10074365328459188301518373350-6579947281549165338"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4303399512125969815703093193-423970345-1980479884-126979375-31938368686947772"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kgwcYooA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1384047840-106762505067627851017258248471454876351-24069194821325263311918895655"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1158572039-7886065342123226846-683643367213690594120172886192503217622112837417"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12987691968677158951730111183-15064461271234984230-1403453246-740033140-1421131818"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKgkUMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1856896256-720386260110454688617465596611877060800-9904259162124173321-1433903490"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1574403427-5039707861263048282609409467-56539802828499882-1945310371-583545492"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AocUkIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1037010886-1264734187-2051397952193595001511792567-673573975291578180-2018862271"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "319479521-640374581-3776994711082313591189916725417721004621349743583-456415731"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAgsUsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1153301530-911629370-786928791-21148487231324994171-1730017171489028624-126098512"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "58669177815684471251216623518-1374631913-1479697605597111453-879916036569636513"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1980446602-384161830-1145887721-1869941310184873290443642416-1031550227-1319389887"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUAIwwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2068794933-17678083524041183261250917988-52096557-1640627128-2098785717-30774372"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-42826528790643151319516504181601499836-6809145701327625097-8279903302006532210"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "279638189898617946-14739616795552385931297659428163752463-1954573078-1504548547"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7172791561772140108-12377828971821882257-11681368578956129521499466786-2093410695"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWQMMsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-97781832852621841-721239577-52035918848737397201185938312911486561353701300"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-957799321044692411-2070687950-312813279-1737265771620649613-670021931-2120062260"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2087829143-6708941481493180671-1985831564297889439-14233265961166633910-640387835"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKoEsYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1589394197-806860687-757864011-1563868739-207329825516036981971896590274912226621"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1356715650121020116-365322492331371893-998823964-1393218368-11700353262051984312"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-88579906-85446004-795402116-386031098-3139911238994733901807775626-903399128"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\toEIEMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "98761951-308821219-94712715120440983481012900491-3268804911599859533-1866845183"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "163632982717068992112134981967-4682640121179656116-8656003799622315291871054670"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2108818958328431935266821204-1749441880461020131-235469678636663764-1796605979"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18546615331440417288134585622614777961891564625253-1100105356-1003158099-767464704"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FeYwMUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-130627116-1062631419-1141103772-1347883724563212597864819339-910452688145641465"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "889275646-1345310837-384717526-7714752311972633382138979403177430438-1087920471"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuYsogcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1329441254-664809586-119073913-1402374593547508166-848021071658428042-1649769811"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "460779744-283931377721119335143326564-455111247208552997579508376-1947580701"
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.200.14:80 | google.com | tcp |
| GB | 142.250.200.14:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/1064-0-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1064-4-0x0000000000550000-0x000000000056D000-memory.dmp
\Users\Admin\uQwwYssY\fuokMwQA.exe
| MD5 | 62a81d6ab77141cc33425f39f8fac0c4 |
| SHA1 | 4dac31bc953fb52affb5f6f26ba7f286b006a8bf |
| SHA256 | 68ef338c0ef116615cf03d61b2d5d652ad78bb38b23d899615d2fec7c12a0e44 |
| SHA512 | 8ff19da8bb52f13e52a20243dfedf07ae39a5eac709ca27218bee5388068c6f9e78e587215468861da3a2b96a5fa981ac07efc95540ec3e59cb304af9e97ec34 |
memory/1064-17-0x0000000000550000-0x000000000056C000-memory.dmp
\ProgramData\deQcUYkA\oisAcQIo.exe
| MD5 | fc264a4d530485f511b00187a847ddc5 |
| SHA1 | 2c9875ebda59d890d35dd61f11f6aa7cf394e025 |
| SHA256 | f8e34101af94bc33d092ed99e7c447c0af4c4d70a3334ad9600d9c68d1a1b025 |
| SHA512 | 2ded2d28d505bce9d4c4691a784744996a35ddc18e72c18e8c65d99840758e9fd09b3609bc11cd40d10fe52a0b2369202b494d431bd85f4dbb0678c4a941fab4 |
memory/1064-13-0x0000000000550000-0x000000000056D000-memory.dmp
memory/1748-14-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AKsUswIE.bat
| MD5 | bfd8ac3e0ace82417f21d8c6194a8366 |
| SHA1 | 9ad4329cfc5f3d4b2bd3eb8ff92780ea6bed207a |
| SHA256 | ed61c4b0796a2d5d4d5e819e5467939dad854c04fa97564424256abe8fb39430 |
| SHA512 | b9a4c7cc1bde06c45ed0e2060533e8022d6ac0dbedf35185d1a599640f364cf57273ccbd3408a48db9864407e35a1770e0685767d38aff59d33df1872088fb59 |
memory/2796-26-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1064-25-0x0000000000550000-0x000000000056C000-memory.dmp
memory/2752-34-0x0000000001F80000-0x000000000203F000-memory.dmp
memory/1064-42-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OMkMooow.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
| MD5 | 28b1acb04d8fe32baff45c1c266cce72 |
| SHA1 | 8ac9f90b7db799ac7e420fabc44dead1531167d5 |
| SHA256 | 7fef8984fe1b6c4a82f5daa9754035f0d1843e726a7e03c1bd1cc7e2d3ef8dc7 |
| SHA512 | d02a70bc31d875e28d742388f56fc6e180e69bb69d463d9d02fa4e1db2529b6b4d194ef5bf75d66ae51bcb2915ae7cce4f2e0a9b7dae7ffe5fab560f6d1515e9 |
C:\Users\Admin\AppData\Local\Temp\uUcUwoAA.bat
| MD5 | 2ad04a13fc7b7a0fcbbfbaad8d4845e8 |
| SHA1 | ba94b44dcf7806aa3a3d2c1b8bf01cd8c4367d44 |
| SHA256 | 0f2627ff40e3fa83f6cf302492ff9e0924492bd8ee0b1d65a896fb3f1bded200 |
| SHA512 | 4c1ebf757e944372522f78e275f5e248c4620f7175b575d13aefb3d07c4ba2509f0ab7edb4b7b6fcdaa328d00496ccb02727db9c2d05d8be036d1e2f01e9f4ad |
memory/2660-55-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2848-63-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\SgkEkcAU.bat
| MD5 | 5824ac67feb8405b1ad63bdd1d4d69da |
| SHA1 | 771d9a2e243da59417578198988130fdbac10c81 |
| SHA256 | e459b1ad8e23e25d3dba2dda89b361bcb84acd59ec4fcbbdd24847559b53d476 |
| SHA512 | 4b389b9fd2c2ecd439abaa3681e7fcfa2a5302880dcabe6f4d0a6957538e90e81d230194803702888dc65bd3cf6cbb8e08e616c847347df8b570fb715180cede |
memory/2136-76-0x0000000000160000-0x000000000021F000-memory.dmp
memory/812-84-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2660-85-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xgwgsQsM.bat
| MD5 | 72ae49ca2803e078de2aeb3ebf00340f |
| SHA1 | e2365830fcc12dd2d1cd124b26efa8d2a2f6e65a |
| SHA256 | 49ef56e1cef501c2fcdbfc5e891a6d4a96165e4398494c7c4ce1d27fe9b619a7 |
| SHA512 | 8bbf0133200d43abddee4141ee0a47bc20afd3a178873e3ea2e9e04fd7d7c5999f93fb48bc473441a02f1fb171f6de2e59f0f782379d3742a301cfa76b6304c8 |
memory/812-108-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2140-99-0x0000000001F20000-0x0000000001FDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PGAswQAA.bat
| MD5 | c8cc03b6ddb9b97f80a421ab384a2954 |
| SHA1 | ec6f3549375f03a5bbe0d59e7321f5f1de6f7d82 |
| SHA256 | 6c5d573eb076bbe3fa2d44d13e86a9436c36518f55c583bc19f126c5a8c3272d |
| SHA512 | 828dbc7f9ed2650b4501e1446a50aca822092ad02e3b812ef36878ec277dcfd4f8ffbb550bb815bfa603e9eba93c0b3a4202285093414d32a09ad353871cbad6 |
memory/3028-128-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xosccEgo.bat
| MD5 | cbffcde9c7e8894a2e3fd9184a9c7112 |
| SHA1 | 84b365736bc5920cd2b5d66b525fd5520a387d2d |
| SHA256 | 7a91383cfd6375b570df0b442310f5249c40c225184ea1a72d0e2bcf37a45d40 |
| SHA512 | 8dac1304f8043fd1e7e3ec6061767d324b34adedd61c54ced8bcb4710d7ab5632cf477d4f4fc17f98d906cd518b57fc2b4e90d14f1ac511dcf92b3d717c39fb4 |
memory/3028-149-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NmMEcEko.bat
| MD5 | 407369666c92d59cae3ea95756de8bd1 |
| SHA1 | fae8f276a337ea62bfe98fd168c199628f185396 |
| SHA256 | b543d2227e02374c9f88004874d7cabaa6a6427d0093bbb03655dec2b6f9902d |
| SHA512 | 4a7072ff07f785b615e72af3056c0a84130d3a99bbc895451a0f0f2c56a1cb796fe8e6cf12085453574e899ed440170653e98fb9df9c593deee8b9b37483be1b |
memory/2012-171-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JAQUAgUM.bat
| MD5 | e41b98f2937c837e981b142721daf0ba |
| SHA1 | ec4330ab55c0abf47ddbc0474f4120a92f624833 |
| SHA256 | 30d2414fe33bf73440bab26b93f103a9a7470d3b6e0a301323ecffe4c5d86d67 |
| SHA512 | 75c0941ce86004cdbb7446e1b962040cf68472599d76f23b3048a532a7a79b994719b7c8565bf642b6986046be6837d8eec37dbabeadc668e83cd2f26716cfbc |
memory/2600-194-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DwwIgMEE.bat
| MD5 | 9a1cfae16800e1022b44d9d4ecf9d2be |
| SHA1 | 6097acce462559322cfc1ce2a6ebf207a45ddb15 |
| SHA256 | f2297c7a21a095d9dc617ee4dc5bb9412800033198fa0e0cd3cae499db966235 |
| SHA512 | bd69e7ab4520dbcd55c569696e7116922d2ca34bb66bd38e54b4ba0a02a892373d608bc6e858c1db64b9a80a1db2f05763287b35d16de3cd759e93c4c8d21130 |
memory/588-217-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2948-216-0x00000000004B0000-0x000000000056F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CygAIwQE.bat
| MD5 | 1d80989b89c35f7b41bffdcf7679bc1d |
| SHA1 | 127f70d3278c5810e6430b21e9b463b2663da3f7 |
| SHA256 | 1c150778239462c5076e354d5688c36b66df4604e8ef90dd6159116962c964ec |
| SHA512 | 47d2104eae4fc0765f13b644525ddcfdda9168b0b6abc91b690d89d3b32acb5835f143f365262f8d3d34c1f0e0edb6810ced9d06898420717b8b0bf53a81bb5f |
memory/904-232-0x00000000020C0000-0x000000000217F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WOoMQEgE.bat
| MD5 | e90a4d1694ca69645e6dd0ee662f6c13 |
| SHA1 | fe9a255282c756f2cf7705d438cc9a155544ebb7 |
| SHA256 | 6e90c51bdb9649afa0f7c1003214e66a3f9e3fc4a1943e75773b03ef2d6c8f2f |
| SHA512 | 5fe398a197aa7baa40bcb5c0645203add2532f335cd1d7c75ad2d6061f11f12d0af05a91d8bab7145a6701998cc10c4d9e7acfce8c0e405ae528fc5905389f5f |
C:\Users\Admin\AppData\Local\Temp\AIQIUAwI.bat
| MD5 | 234be9bc36b0e45387bcad4d139c76ca |
| SHA1 | 58f84978a17be6f8f651d622ec8a77fabf6307ab |
| SHA256 | b481d02704522d75a47fbc47c6388dcc1c252921ab7995948531ee520465526e |
| SHA512 | a436f7a06dc73066ec59228bc98bb7e55ed2b54831a50459566b894d21ce936498d928f291e2e57a9802bb1beb5e785917fbfd1895aabe61df02f1c7704eb95b |
memory/2516-277-0x0000000001FE0000-0x000000000209F000-memory.dmp
memory/2324-286-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2324-311-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QOUsEYIc.bat
| MD5 | 39d01243e9a5f0b2fa3252b7ebb20a87 |
| SHA1 | 704c54bca5210689ee247a86aad319c367a6fea1 |
| SHA256 | fcc64625cedbec9f1e47731d780a6c5fc398c993fa49e75a70b3a4ce4c2f3bd8 |
| SHA512 | 7536f9fe23ab587cd0970518d64ef45b123bb7a2469dd206cb657c93391bbc71ce2bed7667e803ebc799e1ee3b8b25b1010bca67dc5380c1b84ee5cf35b17e76 |
memory/2988-326-0x0000000000350000-0x000000000040F000-memory.dmp
memory/2988-325-0x0000000000350000-0x000000000040F000-memory.dmp
memory/2684-335-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2628-327-0x0000000000400000-0x00000000004BF000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
C:\Users\Admin\AppData\Local\Temp\QgIQ.exe
| MD5 | 02963bb6f2570524399f29ba2b4fdf5a |
| SHA1 | def95867445e20265410096b438ddc71b9af4c37 |
| SHA256 | 40020f18ca614db1985018ada58457cfb2aeb2871b6998d5ea2f1eb4a1e8e79f |
| SHA512 | 0358d0f5cde2f6d77bb0f61531a7fb041d36eee09cc6b94d354e2a0a8cf3773102ed469f9b9c39ed452588fecbb91c895d617fef20fea249fb614edfe24b571c |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
memory/2628-371-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1712-377-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FkkoQMkc.bat
| MD5 | e90914856ba97ef4a4f92a0c57777b90 |
| SHA1 | 63ab6ffb7364a13381fbc26cbb817084838003fe |
| SHA256 | ae10eb3e09bb4addacc22260e7fb1ca96e33ec443de018f8cdf057940062664f |
| SHA512 | 4049112cf5a5fac84c0d5eed0bcf5d71eeec48bc1c267baea96fa75fc188da56da85bb52f053e46c496e634efc16611b1402db45f2f7876dfd4a6585239bdaac |
memory/3036-374-0x0000000001F80000-0x000000000203F000-memory.dmp
memory/2136-426-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iosK.exe
| MD5 | 53ae6cf5fe84b3d791295f93f24ca421 |
| SHA1 | fed64c01a4960cbf31795b199ece5909da96e96a |
| SHA256 | 6cf7ac5370951d6f6a7c66787043980e65099632246d05e9f31038a7ad0e5e2a |
| SHA512 | 8f572c1d321e128cd53fcf7b586bd2a29ba68fb33f7a6c8ca2527b6147f698f1d41b98afdbaabd6779a4a1c56540867c841a71a96d5e20092e01301968c04f67 |
C:\Users\Admin\AppData\Local\Temp\EIUQ.exe
| MD5 | cbdff9d0b927a7249e38a8458e54c204 |
| SHA1 | 73c37569282d5a737e2c31f291e6deeab89ffafb |
| SHA256 | 3fc474ed9543a84f1d08504b49a7297ef9820b4f52ff8856d3e2c1b58d25f7c9 |
| SHA512 | dde483c79d0e7b95f108ecd12888dd801bf27903ec8d1271863d5ec0c608aa112079ee33682050bb214486498bf2988afc727c16d69d4ebbd43627bb2e462ff4 |
C:\Users\Admin\AppData\Local\Temp\SgQW.exe
| MD5 | d54063b4318d4ff6a73093314fd35519 |
| SHA1 | 979c03fe03448d54a1e9a2db5d64395a7920f029 |
| SHA256 | 1d49eff2e271bc754ff96290fb06edab5ac63712d05df9190ab024a1cfca828b |
| SHA512 | bb0dae62c7f6810422be9b83837e740ce85ab744bbad426fbc22f771de4455313e934a1704e67b70c67bc920b665b6968c7bf31358e5865c9933a66a884e4029 |
C:\Users\Admin\AppData\Local\Temp\PuUMMUgs.bat
| MD5 | cbc5ab48fbf0f5753b3d625e77ca3756 |
| SHA1 | 0f5a120f420cff6a8895904266e639ef3bb9957f |
| SHA256 | 573930cee8f690202b23ab42cb3ad9a2b868ae88a1b75f80fdefa3e3be205500 |
| SHA512 | d9f9e778f66e672eec89d3144442bf74e332d39f1bf592e2618d008a8d7a74fd06cfcce0fa1bd82915114a0827bd5ef1adf78210a0242e3c27348a7cfc7a254c |
memory/2596-492-0x0000000002070000-0x000000000212F000-memory.dmp
memory/2560-500-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2136-501-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XSMUooMk.bat
| MD5 | d4e152e40edfdf4fb4365d2f4d516d17 |
| SHA1 | e7fcd1ad3459960b739102c59d93cfab0ac299be |
| SHA256 | 59833446305cc6145d42ad3d4fb2e3f9a70c2fc6f33406e71cc994042e2dd5f4 |
| SHA512 | 81ae1a730c56a2a0a754c8916c627b3cfeaba7c971e4cb39907c14893c0d4f52eb5ccf68f810f04228d7edd861eb83d3e0118d68a2102f002cce55015cadfe2b |
C:\Users\Admin\AppData\Local\Temp\QcsI.exe
| MD5 | 9fbc9dc0b72ea2a0f16fcd23adf2a84a |
| SHA1 | 2b6fc2ffc1bde00bf352a39b315716533b52453e |
| SHA256 | e7adafffeef090b4eb65761db6ee7ecb3de8cb132d8b0d2d1634e77b8c6e4e53 |
| SHA512 | 885829194c974f74bb6c23e62502304ca876397d35af8c71aff7c10f867cc10332638f19eab782fbba1a6f8ca1450077f5a08aa6dd7f58b5cf079d44a5b17d04 |
memory/2560-532-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QEYo.exe
| MD5 | c1d6a1e34ec000281c4c76e221efec2b |
| SHA1 | f4d0f3dbb4ffe17ed05cad3e80970c41b0a238c5 |
| SHA256 | 04533d3d11d74f1cc2fc6b43c914a11ab89edbbf1b6bca114daee41b0aadef4b |
| SHA512 | beb118eeb6d958572b76f533eab3742e3e500c02aca52dc81f23ef4205750d05c19f23700fb68b36c8e4e4ae147e4624c86b4c720bd89c7b8efb07e7629c431b |
C:\Users\Admin\AppData\Local\Temp\oGQgUQws.bat
| MD5 | 988de9fb90acf73d1f03c628b7908260 |
| SHA1 | 3521009f70f5dabc1e7891664b394754e7668cca |
| SHA256 | b7a986df98bbb07711614341be22304d21871692f78b31ea450a9b702f98771f |
| SHA512 | 897a8d5f633c1664924fbb870de84f8088f7a46530f7cf95799963baf78df645e5e69a46587ebf2eba5f78381ef672315b85fa5612ae765037390a66a933dd8c |
memory/236-601-0x0000000000510000-0x00000000005CF000-memory.dmp
memory/2064-621-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mcAw.exe
| MD5 | 390ecf2f1adde62e1bd87119ce1c9136 |
| SHA1 | 2b0c6026ac96c5e5205b133f5ee7027f0433fd14 |
| SHA256 | d440709570479fce9801cd6b15b710a3f9183763169f38155e00b776b2b7978d |
| SHA512 | a951fd1d24efe9ce0d627028996bb0c21de1481c17f950d0767a94451c5a30e113e9b37601b5a47ed386878a89a6bc04eb782054a3771c3821bcabded4e714be |
C:\Users\Admin\AppData\Local\Temp\aAgY.exe
| MD5 | ec38ed3d6e04b26f57f7c60d2307ccff |
| SHA1 | f40fa51907715731fb33b25091ad8347aff44b5c |
| SHA256 | 7b8d4d05f6ed7c6f710e567da518a6cd7966eb3a42dc1f0087bed343cb876640 |
| SHA512 | a97517f440aeae0e5fc9e3d736e7efa1b5a8a30cbbb107c207f3f97392aec361d30efac4fbbac10f8f4cd68ce434f0bf34162c906612fdc7ac0add472c327f20 |
C:\Users\Admin\AppData\Local\Temp\IOAMIwwg.bat
| MD5 | f7cd3ca3f72d4dd8457bc97061640a3d |
| SHA1 | 5111852baf6a34cca655c065ca81248cf636f466 |
| SHA256 | 5085f7cde68be73f7340e4623cafe707c3d02e10467102dba35da6491cbc8121 |
| SHA512 | 51db719378602f355442081c7fd95980f0435647210865659b93fe0f64b6b94b1e8936d2f958b96a041f7614c2718a201ca3184ead28e0490efc7d4b3acca86c |
C:\Users\Admin\AppData\Local\Temp\eUoC.exe
| MD5 | e0e51e413538a6e2dcc388fb9e496c85 |
| SHA1 | 26b588120e1e02bdbb66912caf332deca9caf321 |
| SHA256 | d129d870aa577e314014666ac841b84cad2cdc0654816315d543265e709e16f5 |
| SHA512 | e872f8015af852cc04031abcfb8242f069aaab8db304204268e629792e46f769833551ec1657df738614ebc956270a3dd1553738bc06c8d4aa4dc56a2d6428bc |
memory/1512-695-0x0000000000560000-0x000000000061F000-memory.dmp
memory/1512-696-0x0000000000560000-0x000000000061F000-memory.dmp
memory/1796-698-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KQEE.exe
| MD5 | 8d6bb1fe84d39258cfc8c53d2fbe6544 |
| SHA1 | 79f5598ad2b17c09db343a2270f6fb7f89a049b9 |
| SHA256 | 3f3f776695eb2d2c062f1d7d89f8ec2e7bd33e676cc34327dbfe58b1354b144f |
| SHA512 | 3176549d2b1552647fc017a1a6f632765ea1ae8850ab9924cb9d1a766677eb9c7d2c13377c7f30152e8cf1db0bbedc367dfc81bda8c0fb83a55dc04a96aed8b2 |
C:\Users\Admin\AppData\Local\Temp\IQkG.exe
| MD5 | 64371e81b1b83b54372f63e46be993c3 |
| SHA1 | 218b5420cb6d277834b9f26765152662dcf502f3 |
| SHA256 | c1fb2df708b343a6bdff80c8362091c71adf52ee6a77af1cde011b1ddc829975 |
| SHA512 | 63945c7e044b21b5fab7a20e26ccf82cc45ab2ecdb93f941fd9102fd2c9c5cc36725e5915a5e5e044f2b177bea45829f1944495cf5c5922fdf489a5be4e2194c |
memory/1572-748-0x0000000000410000-0x00000000004CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MMsg.exe
| MD5 | 7e2a374af7573d9cbd9aadbfcdcc251e |
| SHA1 | 7df1be0036b346036b057404176bc0876106c930 |
| SHA256 | 1ed1886b42218a3eb87cafab20e8cdc33e545b56766ee7ece7cfbad87a86c106 |
| SHA512 | e22eea474df57baa8a8bc1c3a3b17e53d46536338baa1aed6091b753a307d886586f831fbe4aedebeb3c0f7966156d4ce9fbf0d6e94b480e1688aa513f43becb |
C:\Users\Admin\AppData\Local\Temp\ceQkQIcQ.bat
| MD5 | 2db86e1c46070ca1d1014b718d6fbbf7 |
| SHA1 | b34bc522c266295362149c4aa1c53bbca9e167d3 |
| SHA256 | 335a92ff8034b2e43759de793f58c73bcc2fb7cf7a6f068747525160a483c36e |
| SHA512 | 53a0286486a24daccf0bd42fc638488d922c1965adaf9603e15b5fe7cfaa2e737db24cc16448ca9db998123306d5cd866355da07e1646c6ce90ed2b8711d33b1 |
C:\Users\Admin\AppData\Local\Temp\WUII.exe
| MD5 | 58d36935febf1bcc3df6f1f35393f4fd |
| SHA1 | fdaf5e21eb3df414732f9d9dac96c054514aaec5 |
| SHA256 | 15406ccebda288e32740dce38603bce028366d78f6d65017bed80ef49b47cc52 |
| SHA512 | 4ee73a04e2ecce81abd1fb06a66502a213da2d605b663daf65a343f570f26a280a8c04d0adff247475a545be8f51431172b7837f8def62821567724bc99d4112 |
memory/2936-815-0x0000000002020000-0x00000000020DF000-memory.dmp
memory/2332-814-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Aoci.exe
| MD5 | 8102499110b348ba18a146ac19bb1fab |
| SHA1 | 7c9f0b62354a8ff83e82aace1168d093ae3728ed |
| SHA256 | b696835a7c8e0e289d62c7dd62a39af9e09c5c987788594350a7c40699cffd86 |
| SHA512 | 7d59fd057afad1ea75630c62f2592bd7689281be785e0a249cc93fdd07ebbd289742fad65c8e3e2c965c0f8f0fb10dcdbc3f06d7fe755268e2d71f20ac7ca157 |
C:\Users\Admin\AppData\Local\Temp\SAsy.exe
| MD5 | bae93ea37a0dddcba5ee5eebe6d6a399 |
| SHA1 | 90cae388d898cf3a48b08f31188d4d480963aa8b |
| SHA256 | 7472a9d4d5d8415b1b0ebf9aafbe22fe627a99fed3f4e3aaf02ed2bb057fd845 |
| SHA512 | 0aef6ed9a0ec40c33b70221e2a763b5d4b0cd460b81a3b450ab7f12e2e19c44c0a6eb15bfd6d315c459d8a9655cd0d66816542c7bd25cc8e3c8e130648ecbbb6 |
C:\Users\Admin\AppData\Local\Temp\YAIMkcoI.bat
| MD5 | 3297aaac74a64909c6f5ada4e6888a93 |
| SHA1 | fce36beafa38120efcda2b5aa6d34baad0328ecc |
| SHA256 | 5e092fbd125ad7bc83edb82bd634a9dc8df19bc50e69993f0efed56347109b14 |
| SHA512 | 69f9b861e30fce8baa56cb594fa0fdb5339978fa1af5f736f16914f41ecbe0b47888cb352cc2ce0a02bff0b33dcc20988f0233dee0eea4a72069b508d69304f9 |
C:\Users\Admin\AppData\Local\Temp\uQQg.exe
| MD5 | 9ce4444a40584cf6dc7209b5ac0ec687 |
| SHA1 | 3801332a3e21909167267f7af813fe1be203e02f |
| SHA256 | 22c8dceaedca3ae85766324fd6d09ef5d673fadc74682124596a19cdd53f6e74 |
| SHA512 | ef51c7628b6d8edb6dd9a46555d20d4bfc95646d9b581a052ceaa1b0c367910df697221166e5d72deebbfac296caee1a3c81adb2ff490506baaf523361085de6 |
memory/1472-887-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ycok.exe
| MD5 | 21df10e4f8412a83c7dfde9fb656ac01 |
| SHA1 | facd0dfead0b3134fcd2a7f28932e65adf5908d4 |
| SHA256 | df144b6c1d504c20bbb7a3e9fbc869fed61820ae66f269c3bc77d8fcd56a181b |
| SHA512 | 436f5f517340b41017a9d91b65cc324b7cfd848d29e0470707ea2ac6cbad73f8558e5050a8b0ae0800e82df2d664a62fa1bd8f8ee53bf9d1913d854a70decb55 |
C:\Users\Admin\AppData\Local\Temp\KYYs.exe
| MD5 | 4b40a2a366ae87298ce1b8dfe49eac9d |
| SHA1 | 1f2730f159ca7bdb9aa8cac1da9ab9f3021ead5d |
| SHA256 | 50f8dc01badc04cc29b1762797968a9fcc3275824a3f0d8943ef00a305715377 |
| SHA512 | 099491834d21664da8590210d65160050e9225ffee891616c33af24d1ea80364da093291954e26776bc51dc9d17419a3b774451c70acb9ac781430ce0973fd33 |
memory/1252-960-0x00000000020A0000-0x000000000215F000-memory.dmp
memory/1764-974-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WkMW.exe
| MD5 | 0a987cafd8fb53be0d652986fa284201 |
| SHA1 | 4954ad66130dd49731e1dfb97e0abb682ba9d0df |
| SHA256 | bafebfefb2ba27b9786802fc4a6ea23a982339e5aa7752c44b1b749aa15b5874 |
| SHA512 | c5cdb6b2df45cca88d34ec85816c567a42142ce77e575c290506135a145e1d8580f8ddb6ae59e5232062eb434b750e144aebfa66a0a19055db143f3da60723c8 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe
| MD5 | 35c7965050fb511876495fb11d01f217 |
| SHA1 | 50e0104ab2e2de705c6dd6f1ce92dca908182086 |
| SHA256 | 8dbc48de5393c3efab914fdc5128360f46f2fbd6d0b954074fb2004bac16a223 |
| SHA512 | 324255c5057c78c2bf08da1a46ed7ad88486e8f260cad35eb3ba71d66206cdcbae7b3dae12fb10b7fe324692e4b85517c8ee8751f0212e4085b0d418ea3a7230 |
C:\Users\Admin\AppData\Local\Temp\wsQO.exe
| MD5 | 7d2b525662bd7590fb680a0202d2b725 |
| SHA1 | b6c4d96b637d2241052ffea0e493a0698818fb32 |
| SHA256 | b2f58f17bfa802d7b6f5a30b381539ca3af6ac33cb4f7a757c1738ec0823d6f2 |
| SHA512 | ffcf439d8c9f5bbd9a66c44090efc1a49b1fef3d7dde95ff55ffedc64207a3cda1866d0dd8899c6293ff5dd184d9402dca74442730976dddce739b30cb2d8ea7 |
C:\Users\Admin\AppData\Local\Temp\OYEI.exe
| MD5 | 29ad08747177e01e2bb83851443b706d |
| SHA1 | 491390b2d264c8df56ce2666b41d98784640443e |
| SHA256 | ec122ee054f7edbb4c5e45bfa6a73fa321e1332166e961b0cf274154eae495a6 |
| SHA512 | f7d294e7d71d386cb9ec0725ce9268ae54bb3bcaa2e501456216ad1477b56dc7a66bc23ead2b7c5706bee87b8103c07408af38899d1e31e9343522c3f13851fa |
C:\Users\Admin\AppData\Local\Temp\EcMi.exe
| MD5 | 384ddef37a9a84a61773afd62afbef39 |
| SHA1 | 304c4aa61a96593771cc0913de19b9829e9306cd |
| SHA256 | ba91cff781bf0865f492082f8b69068695e337fb3b106c7edaad51eb87a8e957 |
| SHA512 | 9d9b902cb695915c755a1ab3430351858d5c05f07aa45a872bc9e0fbca9a27e542ffa1128e2d6e62e099f5ebb875a4daf7e274f61a9dec7ea0a01b9b790c8429 |
C:\Users\Admin\AppData\Local\Temp\EkEY.exe
| MD5 | 8f268d07ca38d5db7e622b3006f9d59b |
| SHA1 | 785c11aca8891593fcfd7ac11db8dbf6037a0e28 |
| SHA256 | a119b485536d087dff3d2fcf050b389c6ae19dd6b1932be4e36d3231c82c3774 |
| SHA512 | 128558d1a1b970133a93e892a785f25e5e707011243d06ee5278c029b8db88b6941109d660d686408a515b710cf649fe04626842c7d9d0953fd28ea7c8febcf8 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe
| MD5 | fb8afc201adc5175a79b2ab2429a4a5c |
| SHA1 | d4b482644928caab796d5bd99e89feb571fa7466 |
| SHA256 | 9051d0986e059fc2b4a2a732e17309b303006fb679e68bd3bcbbb6036c296a21 |
| SHA512 | ef7ac289bf99c355f51e83afdd43b4b0bbf87995f0702c748ec681fce0bd42e1d91baf719a325f9d67ea603c9a1267225a14e42b7ad0acb0c5ed894f58fccb2e |
C:\Users\Admin\AppData\Local\Temp\lkAcQosI.bat
| MD5 | 44c059c7e567e98570d1042c5ecb9f77 |
| SHA1 | 6cbbff5b07e8e056f201473577a9056a60df0072 |
| SHA256 | 9df34b319911f458b991155fd579bd6d12d8173a83b6f11ed2a7e344d5c1ec3a |
| SHA512 | c0f078f2aeabbbc6bac14f530aad55ba6b9216658299c3bc1e61fad4e8448ff2d071395e21f86d2b19a43778343c79be232bfbbde4f1e8e2f1ee364aa246507c |
C:\Users\Admin\AppData\Local\Temp\eQYe.exe
| MD5 | 771d16969754a51e37b44f0cbccae625 |
| SHA1 | ac6c6adc8902c87443532a58ac70f87a11248aea |
| SHA256 | d13b4f852b89bf47f9ef69d0ee16ab6dd6b021e6335d8f95cd4c512d768e2e8a |
| SHA512 | bcd58fbcf1dd568f51755917f624ea3ac0d1130aaa585edbdef6f4b2099cfc1d7bf682f2932b2508ed180896ff99a553bfea172973f721de01ccae86a2f0bc01 |
C:\Users\Admin\AppData\Local\Temp\UYsw.exe
| MD5 | 14e593e9f5da7d7b25c349053040f158 |
| SHA1 | 0ee0fd97f7d264bfae1d268d2d1fd96382d3abdc |
| SHA256 | 519ce29f5a9dfdd975ba06d90a465acd9c5be0e28870407f10f08d49f16ca5b3 |
| SHA512 | 2368e0f6543b7728554816bae17723042fab4e73356994072a63fa88136ed96cf03a7fc1566477ef02494cafbe710d684b1b4ecc2c360aaab01d0ea38bbf7993 |
C:\Users\Admin\AppData\Local\Temp\lOMEgQoI.bat
| MD5 | 4d5024977bb64a9ca4889fd1617f280a |
| SHA1 | 077802cd09de19dc55e8f1cac884a1e87e606ffd |
| SHA256 | ab22ac607160bd78674c92664a523263234c693cf4d7e277a8e3a46df0f41238 |
| SHA512 | 3547ae238daf0fb486b0a76fd3967f40f0e78fe4c507e2556fc4bd6892a889d8ee82925f02ca0fc4ce89d02c046eade4a4662ac082f27d03df45c85474288c1f |
C:\Users\Admin\AppData\Local\Temp\ysEo.exe
| MD5 | a33e6d067dfa59187858db8b69e49fee |
| SHA1 | f2d3422dcd05598c120c951f544ce87260bba835 |
| SHA256 | 872f2f15b3934285c37af7d210c2fb8d7b58ffba4ebe15fdece17ce22d8b396c |
| SHA512 | 56ed5f2e359c29beb668735a93d8fe97d071b80723171d39028dcc96b87f96d397ac7fe0b436cf60c46ff199d1ae951153bd3e548b19cc53861b611054e199bb |
memory/1980-1235-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aEou.exe
| MD5 | d9a40aa35202f0eb733190d78052f385 |
| SHA1 | e58b14560996dd449f0484878ff515230f35e5ef |
| SHA256 | 1667367ce4cd9d5b7b699884b84c3cb3a7a9f8905da06a723cccf651a18d7da3 |
| SHA512 | e5d3b5c0d35d515857c5ae2cb001b15e1af183b3c7422904ca2bd6cbe9106d87527e07b647bbb63159e97d458e565ef290a4bfadfc2b545c0d768f9126815e81 |
memory/2672-1284-0x0000000001FC0000-0x000000000207F000-memory.dmp
memory/2008-1298-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CQQoIQYQ.bat
| MD5 | 3e7f33e430dabd3e5fd6f273166efc25 |
| SHA1 | 5fe6fc336813a3d69f2c003c025a75782e50b37b |
| SHA256 | 056a2dda010f14b10fe105a0c35c922639b52481cab7f5cccdc67bd78079fe27 |
| SHA512 | bd9cc625a4348e92831d09e8cba795bae30a58e7de4f25742cf4b3816ca0aee529917146c8b9afa6ee22e64495df15b3d98c4fe307e9abafbe92829a29dab693 |
memory/2132-1307-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2008-1328-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qAIwsAkc.bat
| MD5 | 69491eb63f0daa5a09f5b15267de9cde |
| SHA1 | be490ddb18d3c7a1e5ce8e3e4562cc0339f01f6f |
| SHA256 | a3bd8db1f6b4f352e4f36b808b1389f2c518470ff8c3f99102ed3eea69332817 |
| SHA512 | c995772bc7608220bce58ef63d654cc7b083380027f5d096cc4ba801a825e7a61d551b0043d827fb1c56f47f7d49dd0cde1b4996dd4c41add046859ca303e800 |
C:\Users\Admin\AppData\Local\Temp\yAso.exe
| MD5 | 247cac4045119748035b41b5f2dbde83 |
| SHA1 | bea73a6a882c907aa74ad13b1a16226c92bace01 |
| SHA256 | 43a76e6e9c4b5966a6efe54c21cdb28858d6d68f2e8600aea46589137c09214d |
| SHA512 | 9099873c56dbd51d3111a9794dc02e0ac06ba931a0cf183ab66118719e38efdd2cd6c3fca0c85e0ed505d5597532077e7952239ae9ba843a13f8c59331ff6a9d |
memory/2692-1385-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mAkM.exe
| MD5 | f40cba207a1a3d420fb73d86876221df |
| SHA1 | b30c8a937dbcd48924b08a7ad4b7b008eedcc9f4 |
| SHA256 | e7effba846785e31d119508186a53c63fc3669896915f21993246396a00304d2 |
| SHA512 | 524e21e26dc6b1c458c30f44c5e34dc1987f1c1aa740bd8ee1dd3d031e9e9c8e06573c95707a7ceae8ebab657246399682895f7a475580934b8f73f0a93f07fc |
memory/780-1386-0x00000000004F0000-0x00000000005AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Uswk.exe
| MD5 | 4e955d3abf9cece39d3288b04634c6d5 |
| SHA1 | 804405167ffd23e59f46cca6d015bd75b55ddafc |
| SHA256 | f61fe0d06f4cc882833b480b9fe2a7d5edca439a05fc3fe1c2aa67923c7cd6bf |
| SHA512 | 3c7dce99486ee05f977ea89cdb47909e6eaba2887985eb6b08b93ac691e00a4bc5e977d68cbc15dab241988667b9f33fb00ee005fc85bee0b00c1ab2777619c9 |
C:\Users\Admin\AppData\Local\Temp\mEQG.exe
| MD5 | 1751f28d2f0c621ddd953a0fef5b7750 |
| SHA1 | 091a7eefeb01b75dd7d8852577dca8bd3be35b21 |
| SHA256 | dc8528fc6f6a7aa8727c27d6d5d01eceaa3c2acc2175c22804ae0e0f61410eca |
| SHA512 | 8c12e82f24a6e9cc4cd704fe7e08e9e8b04131eade8ea36385f32d07d38a25b957b200947f01d90d02b5de6030bcb90c4ece229f9cfc1c141ab7dfa7dd1df050 |
C:\Users\Admin\AppData\Local\Temp\oskMswgU.bat
| MD5 | 6536a70b45816f6c6743329ed6b255f0 |
| SHA1 | 15f245edbce617420d66286fc17ccdd032d69d53 |
| SHA256 | ab2501c3087b7a2fca71f643236150f05092abe206c19cd403b39d778bbb9aec |
| SHA512 | 3ab27186fc4b4c4e7d372768443eed0b9a942611ebbfbb714ff46d9da41263972b92903ff6408db14dc58516d93118d661dd3ff9fbb28a091cbc654a0b8769f2 |
C:\Users\Admin\AppData\Local\Temp\CEsq.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
C:\Users\Admin\AppData\Local\Temp\QgEA.exe
| MD5 | 304ba699818323c4a324713335b1ff25 |
| SHA1 | 30219efda43d348ebd27b5fe62044ef2e2ccf228 |
| SHA256 | bd5fffee9cbaf59b91db2ce7572714f0a57717b5ea7da0046f112738f617589e |
| SHA512 | 245a3b5f5b1d5e820b4394c1356eba41f5a2346c9a41cc41a304dc1b3edbefddbefba439a13d4a5750fc902442c1434641508e531f19545ed16f53c3adbcfd77 |
C:\Users\Admin\AppData\Local\Temp\eEoUIMQI.bat
| MD5 | e58a877b2ae9e65d90dc558622cb9ca1 |
| SHA1 | 440efb785526d0dc6dc6ba408d0f86a4541c19b7 |
| SHA256 | b07e87bf35d2ca7bbc90aaa48f9766e218a8a4adbf65b7874a3a9d401da02a36 |
| SHA512 | 1276628a503c52027d7a9545aa3968202b3f11e82e0e7406f8c116f5a6359c104f08f59b4b88ac811fd2dafeea989d1b8533b7b35ecb73884ac221562b9a3370 |
C:\Users\Admin\AppData\Local\Temp\oskG.exe
| MD5 | d2d30bd247a603719dcd0f759e3e6fef |
| SHA1 | 325da3978ba4b7b061bb0fbd4fdd66162888e8d3 |
| SHA256 | 00086c49fa4a40fd9ee7253da08cc7c4b0823e610cfc3fab7d9b0dfcec5b946f |
| SHA512 | 6893cb9f66fce4a40bd0c5e963409d5ad11de3be61d2d722a37cd56566185ca9bf092bcae27a87e603c24fa66e964213e5408358581c59fe9c199fc2579314c9 |
C:\Users\Admin\AppData\Local\Temp\EsES.exe
| MD5 | d23c95e8adda30e62dc87e821aaa026b |
| SHA1 | 1db315a300ddfd06a00fcf36e4dfb5dcff28c22b |
| SHA256 | 49d006cd1c560374290320fae06dab4826faf7925c39952ab910e03dd449c314 |
| SHA512 | bdccf1a97901fb7415a20751209e05592550b8ef816485bad5e9adb8fcf11963bc51421731803ece95c93c25f12a174171f8c47deb4d42297602699b20a31676 |
C:\Users\Admin\AppData\Local\Temp\wYcC.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\wQoU.exe
| MD5 | 282bf79f2f27ef88972517329e40ea0e |
| SHA1 | 9287ab15ab273b8c88b496b9b415f1bf8832781a |
| SHA256 | c931fa3a80b1b1c79678250d8a177d0c3e3513d7c0817ec37ddcb0b7315f42c3 |
| SHA512 | 654e249ecee27c75550c781b83e7ce3f6e974b864d9a57e74caa4a80e99e1ea1ba4bf0b370ee21105d9633f929367b2d879fa49cbec27ffb1bd8259f430643cd |
C:\Users\Admin\AppData\Local\Temp\BeoEsYsI.bat
| MD5 | 022a646517f776667949810f5ad8bcaf |
| SHA1 | e0e20b7b5513bcca053f20727bc7902636a750c3 |
| SHA256 | 75e0f0fdbb1424cc2d6d289fa76894db306ab1dc41061595fb13e8339fbcad31 |
| SHA512 | cc94c29ca0ccd6cb911396c7dddb78e9a2152420e51a279999c2dbed4d733bfcc521c835bd0fc6714797267bd8c9516366f33d975b2c3d375d95afc900c31be8 |
C:\Users\Admin\Pictures\RemoveRestore.png.exe
| MD5 | d98f64cc1a7e870d9e7ae47192462199 |
| SHA1 | 932c7ee1cd4aed6904525f0ca26e875568736b2e |
| SHA256 | a0aac6c61c1502a457e7774f88660f18d6bd275c07b72de4bd92634a1c503c46 |
| SHA512 | ad018cc7da1e66b208b319d60b716ed0d2241d316f96f2c3043b3521070aa699d397def343bedca40c1d8285549d73529f03510483cf4b7f9f1872d96fac7b39 |
C:\Users\Admin\AppData\Local\Temp\GYEW.exe
| MD5 | 762c4d5ed9148fe3e215cfc3783a5b1e |
| SHA1 | 33bab554f84aaa73c2c46c3dc3e3b9aec220550b |
| SHA256 | dd84940b8b36310d41af47c8ce32f99dc8f4c68c1ab913f2b1671ded7459dcf0 |
| SHA512 | 78b228e217a0b7b6a6e36d3df976f153f4e247b8ee8c5772b0dae8fbed23743125900a41ac06a0805fc3794b51822b0176f4ca46326bc9e7bf9f68f737a0e3ce |
C:\Users\Admin\AppData\Local\Temp\GEgI.exe
| MD5 | 170cc13a6ba5272a1c09a50370c5b28d |
| SHA1 | 7d4123868b9d877151e2c7f95c69dd4438f95271 |
| SHA256 | cc8f1a4f75d009ed8ae21bc4d6277118eaa26907b67abadbfd41b7cb0598e613 |
| SHA512 | a7d75837df9b96dcc86a85f78fc5b959f78f87d7faa35969340624025da8af89706243467370cb2e34c0e3867eee46589d3f16b5c00d0f20bf9240791787408f |
C:\Users\Admin\AppData\Local\Temp\ugYI.exe
| MD5 | 7affab2a230438a7135ee819604ea228 |
| SHA1 | 74500f21897633e0962b85fb9e8d7663dc05c2c1 |
| SHA256 | ed90248807f84656154f1a05a451b43b73b54522156511745dd6c976796d2739 |
| SHA512 | 649c0d497dc7c1f227bded69d88f5fd06417be57b13a3dbf933f31cc94e1e393f233cf50b2550e708b9bffc165980bbf85f97ab818331398b68edc08e7fe1b8f |
C:\Users\Admin\AppData\Local\Temp\gQoS.exe
| MD5 | 6a01595beae6903b9e8397a45606a9db |
| SHA1 | bd5b0ea0c629d06de0a646916d341f0d8b027aa6 |
| SHA256 | 38269de60123ecec704dc7fb169d4dc0f413106979f6894c23be09e6e634bf83 |
| SHA512 | afb7be51612bc73e8f1e363ae050ee4f77a85437e51f6a6f8bc50f95a1e0d2c99cd2686dc1fa7bb3f1c4846da963d404b498306d9bb57ef066e14d46bfb435f0 |
C:\Users\Admin\AppData\Local\Temp\gQUa.exe
| MD5 | 8babe74df3664eeb58c3cf91304117ea |
| SHA1 | 34c94d8b082f8468970de7015883df40ca745957 |
| SHA256 | 3919fb34b564bf88f83efc4df3edbb4f17e3d643891e704f63ba62c2c88d5864 |
| SHA512 | fbc4cf0a9fc0f8c9c01fab2d400588f803330b57db3dfe473dbca676e9dd426c891f6352ff14abf81e78c50cf149272be1982daf697bd4863c2e6fa787eefd0e |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | 26b1a2c50ec60021022f854d962e05f7 |
| SHA1 | f041fac8535ad44813d1969744411d305e2a165a |
| SHA256 | e754aa5e057a57c6cf510c3f6a04333cb6e5e763c8694ca1008cb414cb7324e2 |
| SHA512 | edf94866ed3de311d47d812d0bec43b3087bfa36a49dfbd81830db18a494012cf717d1f817e66dd077be98199cfcbe02bb2f97d9d8a82eadfa6356058ad9d19c |
C:\Users\Admin\AppData\Local\Temp\nuUkQgYw.bat
| MD5 | cd0a623501c4052b82ee978b5224a676 |
| SHA1 | 050988986a08b4ba28251fe6804153135557b2a9 |
| SHA256 | ba8cce1c003867c14052ebb55579c50d0aea49b03ec9425c51c59909e279332c |
| SHA512 | e1aa2b888d3cc7ce664c629e1c6e9be5e6d66d4f9242abf32feadf15b5c267cefd74e83d3512e4c7660fbbd0d28f0385ae36d10bdb76bd257f56e0ac47f9a762 |
C:\Users\Admin\AppData\Local\Temp\IgYM.exe
| MD5 | 93da75b5b95fad00054dbd59fd6aac80 |
| SHA1 | 248e451a1ff5ed2f5df087fb727ab345a5a4948f |
| SHA256 | e952cd6bcbe654870a6b4db8d972e1d265a023b50f24ce5b147edc9a3d1f0482 |
| SHA512 | 5a937fc9f14f49c5351ec709f37238fc1ae1e7f30e9e1c437bcf9eaef176189110f9b5330f9e459a5361919a15b2242023060724b969c2ae79a0e83da2368407 |
C:\Users\Admin\AppData\Local\Temp\QAUc.exe
| MD5 | 5831cfeb596bfac067493c9edec66579 |
| SHA1 | 5b9453f322b259654614f00029aa95256d9251ad |
| SHA256 | c95f001088bf04544c66ddace72d018669901675dfc907df5f2276c1cfbbf5e5 |
| SHA512 | b856a0c2b07bcff3e671edf15f4fa7f9fb4862c85398ac6224e4be864e8c9310bf82561b8f415e6d117b45e87a8de08e746d8bc4cf504fffd83f299440df24e3 |
C:\Users\Admin\AppData\Local\Temp\GUIU.exe
| MD5 | 814be91ae7590aaf0e89b97dcf79d0fe |
| SHA1 | d5893cf1582f36be0947f247de5989dff93f56e3 |
| SHA256 | f8a21d2a5f9879358824f7cb7efd6c6435846a4a16d9dbcad112af5c965cac63 |
| SHA512 | ed57b8f5187daff23588608ffccebc4a06772a8addc6ad38f2912b74309d83c20a828b01ebf95a78ceeb849a5385c44defbb7ddab7ffd35ade51978919c57ab8 |
C:\Users\Admin\AppData\Local\Temp\OKIIUAIk.bat
| MD5 | 24199532609eae3c45603be720d140a4 |
| SHA1 | 5bb1aae93bd52b967f18151b7871ad0760698190 |
| SHA256 | a44868af91a71d91d781a85148c1734bd0fdb4ba5d98970b8cfee64cc17a667e |
| SHA512 | d1656e3aaaca62ed2f972cbaffa186d636addd462019fed1bbfb85c11ee429f863bd73b2dc870e51de359ea4f379a77d84bad966425dd3f8f66bcd611682738e |
C:\Users\Admin\AppData\Local\Temp\QEgQ.exe
| MD5 | 6631a94ce157b3755562e370240f8310 |
| SHA1 | c7f2b0f1541facfa74aee6b33acdab1069fb3839 |
| SHA256 | e3abbd288a3d2034386454e433c311dd4ea9e6bcaad577559782300deaab6e63 |
| SHA512 | 7495bcd8da7ec763d060ead452336edf181a365505e4bdb48c38de3bbfcf8a108c16319d6a041d3e15b1819d0cba0690b69c4c3d2ed52f28a6bf0a1e789e5520 |
C:\Users\Admin\AppData\Local\Temp\UkEk.exe
| MD5 | 8f622d2af7560f91b3f27418b7533c68 |
| SHA1 | 1875ab5eabceaa62b47a1b96f7e4200ce2c94b73 |
| SHA256 | 190afd8e4b291322dda364102c5348320212a7ffb007defd5bc2b5e5a556ba16 |
| SHA512 | e633eb6f20d0c1c00712f3ec43d5e3d1ffdc5fc3e4ffc4dcb59400f68922fe680a7027fc7bd62cb495ad8567b1771bac8acba4a9d4bcdfd1222841399b74593f |
C:\Users\Admin\AppData\Local\Temp\SussAoAM.bat
| MD5 | b27f40e9e27bec9845be17345ffb05bf |
| SHA1 | 240dfa3764d1e009a2d3ef8054347d782cc5166b |
| SHA256 | 399943711bc525257d5175a27681a81a49b7c7d0cff2f292b7c747be3fb9d491 |
| SHA512 | fe3fa63e69761b4191919fda853b0c17fe57647757189baccfd2977714279728a5bb4f8a44f64c54cbb38e3eebbea37359da863f85c2c8f6b0131c2076af3f11 |
C:\Users\Admin\AppData\Local\Temp\IsYm.exe
| MD5 | 401e801d1553dfd20e2bbcb48f7d7d43 |
| SHA1 | 3c4b00a6d6ec3ff02444ef98331fba2834168df3 |
| SHA256 | 2a6aea1e626f7a3fe1e49b1528bf322d591b14d83f83c2b27779cb5fdd30ed57 |
| SHA512 | c1027eba9f1089b4c7e070b874e6bb641bab04da04903f74a2c02b90e1f87a5d4529dac43322189e366b905718809d2cc1e6827dc6b88de890f83bc284c41049 |
C:\Users\Admin\AppData\Local\Temp\aswU.exe
| MD5 | 2647ebc23b7b0c5067d558b8fb423ac0 |
| SHA1 | 90371a6537f253db9181218f53d2c2537c4b7350 |
| SHA256 | d8255ee3fad6daace03442a250b2832c8a1aaf3bc0f8ccc68f1d560b35bd948b |
| SHA512 | 436ae49676c6d2a789d5c8bad4395788f028934f1f6e2ae3e08ef7b5d2fa119f937d314ac968d123ffffbc600d746e86daf7462332de6fbb7c1158f40f1e3b7c |
C:\Users\Admin\AppData\Local\Temp\QQkA.exe
| MD5 | 143d364b0bde168c2292dfcbbd7b26f9 |
| SHA1 | f036d5f3f355b29759ad860666bba57b4fe8af15 |
| SHA256 | 842b779bff0bcb2912796f9bed2ff144d56826dcd1534e9470975bd1d6fefaa5 |
| SHA512 | 30bc0696d70e27c2336d7cb355ea64310a1a451b305e033801d7c00b20a7cd3093e40e0d1b373190f39f106b386cbceac23631ea5ab4cdf4191ed5e483ce8a27 |
C:\Users\Admin\AppData\Local\Temp\gewUcwIo.bat
| MD5 | c582e4c18ad4d2a29c26d1cd99331144 |
| SHA1 | 6583458dabdc94be8148f80d520164f07e99e772 |
| SHA256 | 9473884972b9a510af97a1a096c7505dd8e7208db7e61189fa7cc1e590818834 |
| SHA512 | 2d07e190f1282a92c51bf5b67da13f01bf9ac7ccfb6c37b41e81779a870255ba3dbb3bf23ea60632d7de441bc0eabd8138e10954bb3efe390a138df0058031e1 |
C:\Users\Admin\AppData\Local\Temp\AUAo.exe
| MD5 | 3492f02854403fd776baf7b32aa624e5 |
| SHA1 | e17fa59a0e5489730210b544f83456be71481f71 |
| SHA256 | 071da2846102388c02b27c2a0ada2669f993ba9dc786a793892ecf0ceb5f9658 |
| SHA512 | e9ba4f2452c785c226c53cc3c8fb07d158ac6a8c7a6339ff0282ded12acd57257468d2052118e26f10359760a66d509f0b473c6f992a3f9f4092a693e6b631f8 |
C:\Users\Admin\AppData\Local\Temp\WwIy.exe
| MD5 | 52da6ebcc7b909fdd3a42bf8e1a64a9e |
| SHA1 | 61dba66d65cf797b2e87324e6d8dee076322f61a |
| SHA256 | a1d3ace319a952caedac95e6380732fc18aab1d7c9301301b5458bfa1a4640d4 |
| SHA512 | 848273ed3fb57de7e8806627e0ad864241d1293a7b077578eaa105c8f3f0e6a81589f20bf001fb683366f27404ba4194293ecda13bbc590e0038c808b019b1f9 |
C:\Users\Admin\AppData\Local\Temp\LcowkQcc.bat
| MD5 | d63736c598cd7f307a4df56a46fb5297 |
| SHA1 | 1833f42bfefd5ddccae5409be444923b93fcf5ba |
| SHA256 | 788cb780eb34e0882bd04791f3484060620c90e46304d476513abb9b3030e4c3 |
| SHA512 | a61673af6ecf628d00b1e1ff01e8372fc05998036c4acf05769f5189b13c1866f814043f30aad006cf918a426f9bb22bbfb408289b90c8abf9668d35d5d0076f |
C:\Users\Admin\AppData\Local\Temp\SoUQ.exe
| MD5 | 887aec48172ffe527284078781419ba1 |
| SHA1 | 3e7aa8d982392f31d2ff989d94273e612c92cabf |
| SHA256 | 305388a6603b7cb401b163af6feffce3d9c5c16e406d8840db57715a4d7a58f6 |
| SHA512 | ef5c6e27a7b46130cf90a1a7c3612c3e80e9832bc81218aacf3589cb9e2d5640f52aad3ad9098de0ae2365864eed3c9bc9534e1203aa1ea170fc4350dcd89520 |
C:\Users\Admin\Pictures\RestoreFormat.bmp.exe
| MD5 | 5a211a9593336633d34de1bbce279e0d |
| SHA1 | 729fa3d97e55e35de87eb089583781da378ec570 |
| SHA256 | b0dd0f30cd003f14bbf359002081d79f939ac4f9a8ccae1a9c5f44c04ffd6918 |
| SHA512 | 1ff98f7c5ec2de394b5e7b0f5309f4437728238674ab57c8ed1d4a49408412273cff0cf77c0a18dba5ef9cbf18224e974a99407a1ab7b8cc80998f3cd24407cb |
C:\Users\Admin\AppData\Local\Temp\lgEUAgcQ.bat
| MD5 | 1ad52f73a436ab46a5b5fa92820c097f |
| SHA1 | b1904181c29a33d6cbd2b006d39beaa182b60ca4 |
| SHA256 | 6f0b5b6c583767da6ed810ebcda8ff32cb2f67c01c13dbbcfe065f7226f2728b |
| SHA512 | cf7d3ccb6ca302bed16bd44d4e4d2c622aa4ad9b521b60e3ec670f601b29bc89680e71c057c3e16715cb609e6cb6de45f8c994390c49978a8b4e4673e86ee551 |
C:\Users\Admin\AppData\Local\Temp\MQQw.exe
| MD5 | a4494d568cc1ced8b9370e533fe7f868 |
| SHA1 | 1a1a983a2d54ac0176e499cfcac0698c05bdd56d |
| SHA256 | 2dedbe46716bf0c4c401b2367fb46da8785f4b26487c6e31e73f0d4d2432d5e7 |
| SHA512 | 4f11102725f0cfad122a498db848b1c0ae54a1a96a3fefd20e7f7f83fe92d44fd8e2c08287baafdc58e52542c05f0ba1569e3fdfa6b2ae3221a0aff67cc22dfd |
C:\Users\Admin\AppData\Local\Temp\FqAMYEMU.bat
| MD5 | d1f23638695668ebb9d2477fae2113c7 |
| SHA1 | 4c8731599188d06b248b008e9e5f359063adbc03 |
| SHA256 | 10cdd5c80c625865d4983917a9166997d8bdc8e6726da7a2e4a6eda844394b5b |
| SHA512 | 6091726a50afc4afdcc0975451065aeea1c2878daa2e4478b43a6f842f9e8cf51bbebfa25221138a47bc99440a95d1940d779bb21729b465c978c696702d9423 |
C:\Users\Admin\AppData\Local\Temp\cAAi.exe
| MD5 | 26fb28d6d13753fd2c4a1235b1785487 |
| SHA1 | 8053e2328743f4feaf37e651576d87926767e557 |
| SHA256 | cfd7ea1046877da03fac1de47746b6a0666c38763b0dad376c085a0a6fb71fc2 |
| SHA512 | 289eb34fdb7261bb032eaaebdd1802f7dc69b6c28544a4b7e69e5fa0689f47cb837b1661f28e05095051066887d782927a13b63629e64f00d3ca702fdd276ce6 |
C:\Users\Admin\AppData\Local\Temp\UoAi.exe
| MD5 | a7b7228767a64670ab8b0c1be1592393 |
| SHA1 | 9c5b740248916cb793bf65f6f1561a29266e9125 |
| SHA256 | c6669830795b709f8324bc3297349238f57f78a40ac315a3804ba19237269bad |
| SHA512 | b0c26e20bd9759702f8c00fb816935b60d30aa81fd7b5b9e684fe7a29bd2c55d2a7fab639729c1e8ef856b534572dfee7633920111628b830860ecabb944e9b0 |
C:\Users\Admin\AppData\Local\Temp\kUAI.exe
| MD5 | 56375fd667b5bee0136c898857f79212 |
| SHA1 | dabf565384e240b9019708e40efd0a7039765061 |
| SHA256 | 56098e9c58add88dca2d404d114be2cc01da8141d5734ee1fe5ab2cb17bf5abf |
| SHA512 | 50dd7484543ac53418ab139d6733424eec74320e99e990f6b87617fedff892a7039250b2e6e2c6832cfe8fe9fbe03c6b5a5d2115ff37f2d9df92626d5aedf231 |
C:\Users\Admin\AppData\Local\Temp\sAkM.exe
| MD5 | 44437e0c354a970980c41de582c8cda3 |
| SHA1 | a335dafbcfcd260d98facaabac0160fabc3d59de |
| SHA256 | 7132519d041c38fffdb0776dd2c0ac36c6e4624dce005016fe7e09d8ca5ce39f |
| SHA512 | 79363531ab79f9abf461a7ca7631acfb77b476896c596f6d460e37ceece0ca344d79da578333d1d84f203e7866fc641665cf37ab5687efa0d24ff20fbedc090f |
C:\Users\Admin\AppData\Local\Temp\AsYo.exe
| MD5 | 197af17750166a55b7a8b072d4ada957 |
| SHA1 | 4ce15df462745f99dcee0930e00261ce416a9363 |
| SHA256 | bb44998d753fda0cfe6762cde0e812dccb7e9fa3ef65e9483eeeaed4fcf9a8e9 |
| SHA512 | 78613b25dc4301d10137b9ca8e35cf4928ee2e118842030395fcb6fe781fb21dd03e4674e37180a850a6fdd1499cf4dd31696e7e28ebbb72376de19943229fe7 |
C:\Users\Admin\AppData\Local\Temp\YEYG.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\SQwy.exe
| MD5 | e339b6265d6611711aa2f313f7ec998e |
| SHA1 | 0a356dcfbaaed40887d62e6ae1b33a523ab46537 |
| SHA256 | 502d4470962386405823ed59182afde04a568fb7644fb3b6e5de4b63077c7f88 |
| SHA512 | 98b63b5bd56dab4d00b74da1b6a9d948e4806d53b9851b52a8408eaa672b39d60789f11192be17d32ea8250706b9bbbfefb7a4069c9cf712a2ad58a0879170bc |
C:\Users\Admin\AppData\Local\Temp\qMgG.exe
| MD5 | 809e9e72fd81180a9d4b7774f9a817b1 |
| SHA1 | 0edc84e9a496d6d0ebb05c3bfc4c21bd3303b800 |
| SHA256 | 6b14f51b623535edbf5286cbbab83bc3334bf513b0b5afc0b08b0265b6b421bf |
| SHA512 | c688bf394057c8040d3a6f21f21b029fe47021103b9e9ff87c7373f8cd1678f95561f022c1cac5440d829e2dc3028cbe79e51453279a756b8643ccf6c2c42a6a |
memory/2472-1318-0x0000000000420000-0x00000000004DF000-memory.dmp
memory/2472-1317-0x0000000000420000-0x00000000004DF000-memory.dmp
memory/2692-1320-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EoMq.exe
| MD5 | 169c649785628fb1fe3d8ff0ecacad04 |
| SHA1 | aeca3a5f493bcbd1a97bf42a4b6b0155b80a2833 |
| SHA256 | 38a3a8fa08ed0291131113752bdaeb20e50bd9e9556dd25bcd225d53ce2e2a3e |
| SHA512 | f5a9e639b72ad3023793b32f0932d1ae80b8e40d305332ea71f3c17164b1a90b7386504b1ad48cde4c49ea251bcd02d7cf80e07c131083490667800f553d803d |
memory/2672-1289-0x0000000001FC0000-0x000000000207F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mwkO.exe
| MD5 | 7e7ead55f71ce2f846101119984c8d9b |
| SHA1 | bb73db93dd7cb94ec69cb085e14cd263275d172e |
| SHA256 | 263efb1a495face0d0f192a7967ee36e042d3b4598f0ef8edc94dc27d20241c0 |
| SHA512 | 64718e8f527f205438e6158b8d1a1eb00b0309a2391b55558b5d59277768e874cf177ea99b572a3c1e14255dae11a1bef84c40228946a04350d02f3b16094a70 |
C:\Users\Admin\AppData\Local\Temp\VGQUoMos.bat
| MD5 | 9246a04acf0fa3c62348213487c598b3 |
| SHA1 | a1abdddcb72a6a6d40608d0ccbe76eb0de138f00 |
| SHA256 | 2cfe615d7092084898fc7572b2285ef34b673e8e21702ff99d9d5704bfdb01c2 |
| SHA512 | a8c8c5119b316b8f61fb6015733dabc9f02ae7050fe3d82af1297f1c9e204efd3b0483d5ac450b6da0472442bc0a977a46338582c53be25b8cf382054cfd5022 |
C:\Users\Admin\AppData\Local\Temp\IsYW.exe
| MD5 | 21f0adddeafdf0c41e6833b1c0395162 |
| SHA1 | e5b08e612698b0d5de82062a3ee6fcd8585e5e0a |
| SHA256 | 0a83056a8542820258a20c4825f4a09658e8930d74809a530cf11ee8c00cd27f |
| SHA512 | c00cba390438994944b4f75d581ea5d61af7d24cfcbd9ccd0e961a9002019d57a5e98474c86a895a4dd4a4bde19fa6c540de2b4f90fe351e99c510469bd22616 |
C:\Users\Admin\AppData\Local\Temp\uEoi.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\MIEA.exe
| MD5 | b5ddc3cfb8aa9ae5e19664fe09468975 |
| SHA1 | ed241efae83ce6271301980d9eac3f5b5358558f |
| SHA256 | 695c3ff47fa6128892279c4d4becc5eecb3009a98c47d3c280bb1bcfd6df258d |
| SHA512 | 838c11c2c1cf97e19dc0d9b8a675680e8b8a3360f152c491252ea7bd27c9ff1609120bbd4ba7b437368c260be987f89c70b3ccc360230eff7491b867f2dd465f |
memory/1980-1164-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2164-1163-0x0000000000120000-0x00000000001DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sgMs.exe
| MD5 | 05803054c9a22931855480f53ea8f9fa |
| SHA1 | 07dc71e13040b6611cd5ca857f5a582536223699 |
| SHA256 | 6e286274775c9a7b3f165288935b7ce5b7945e1a68b9338c5fbbd2dc8e07632f |
| SHA512 | b2214e565eb0e9a6adff89da6525a0f096c3f0aedefe04a20cccd94650d084b541a6f407eba8e2d4055ecba1fbaf95a87130c5dfffc9135737abe236ba6a113b |
memory/2816-1149-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ikog.exe
| MD5 | 1b1c3dcb444270765f213a1722a43d33 |
| SHA1 | e953dfe2b1d3c4d4c2df782109ad0a82b555e39e |
| SHA256 | 62159b23efa227fa023add5b0d766b8d5605485dc902b2a6d1e87dbe7b84f461 |
| SHA512 | 0a38a35b7cc39ac55fccab4637ee11c31732428c96c96345469e60f0206cfea2a3473096ec6786f5e196e1dc54661a40764440d66005354b6107d65d6f042e91 |
memory/2044-1106-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cEAO.exe
| MD5 | 12cb9e1f1c4651c75eb807d1571a830c |
| SHA1 | de7c67846e67074c0deb4ddb87ab8e7209e452f3 |
| SHA256 | cad9a180afe8bd1edf3b42dbdd3a64cace508e8c98265218bb1a5470b86a75dd |
| SHA512 | 3e849fa850e522daf897a5520f4f52dc6e6950066736d58a3138a3582abf0b999c66f7ec4f2eb1f88097a33bce3d643217b925ab49c99644172b2d700a38ea6a |
C:\Users\Admin\AppData\Local\Temp\YKQsAIUs.bat
| MD5 | 746625c66cfd170674b96c51e196f66b |
| SHA1 | b8fed6dc47bc2494d204cf121f98cbee945a4eb7 |
| SHA256 | 000e796ab6c3d862d9bbc93e7c0cc583caa7f9989a37d0df4b595ff40b20feda |
| SHA512 | c60c1b4fa5af36f3ff5035fc0cce456c3081814fc2d6802255d303fef936dd0740a57ee33dab1407c27fa0cc3efe8456443efeaabe34531d198897519b98d0af |
memory/2816-1097-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1604-1096-0x0000000001FD0000-0x000000000208F000-memory.dmp
memory/1604-1095-0x0000000001FD0000-0x000000000208F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CIsO.exe
| MD5 | ee66c982add1b971328d7c37251d86a3 |
| SHA1 | c9872e876cdcbb9bc3c5013b7b5236b1ecc65269 |
| SHA256 | b6949daad4fd78a1569cae344e88ce925001db8f4d8d5c3713be6e9fb2cc146d |
| SHA512 | e3d01c2c644c997603929c55edb2fc87014958f5833d2017555ef40a91ae70e1a12f7c5525c547083b3305201f382019605dcc18a77d71597a240d78db5e8c4b |
C:\Users\Admin\AppData\Local\Temp\dUQowUws.bat
| MD5 | 286813bcd001d71629220d87c103bf8c |
| SHA1 | ea211c70c52dfd4add03185a265e0945707067fc |
| SHA256 | 0da6ce26ed1bfcfd9be0bdd9c815a898b685dce33be53f5069cff55885cd6b9c |
| SHA512 | 6185a9f27f8ddc057d6d200a7e87eac037884b6ef36c4026edd8df698bb1d523e8e23fbef4f5a63b62efb3e6b443f547d07a42dffedef495dd0b15c8bdd305cf |
memory/1764-1058-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1572-1050-0x0000000001FC0000-0x000000000207F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mUMa.exe
| MD5 | f3a59d61fe018ee9a46dda066021832a |
| SHA1 | dd7e2e8246754844ab162c754210e9bd55328910 |
| SHA256 | eb3dfd061989c6d32d09a2a658619bfb9d62426c5dd6411ea5ac184cf5bf7f35 |
| SHA512 | 6ea22000c2f1ef9c15ea288549c72bff9ebf000ba1987e1bc702cec7d84b365f9ffc7416a24a7ed437dc9dcf090ed0cf68bef79ac79084c63ccfd0bcc19f4270 |
C:\Users\Admin\AppData\Local\Temp\JUswYIsw.bat
| MD5 | 3f4cda226c7ae7470fb137b58afe8c26 |
| SHA1 | 9a95bd92417705da78a422a7112603ef9819a8c2 |
| SHA256 | 1cd0448e84812e012407829317134afc0a321f6fe3b10a775ff27806e99112f0 |
| SHA512 | 81f0d9fffc1e6a891f52c05e3e3dbe458de9ca405cb740bccebf53308989bbea691c12afa55a04d58460ae2c8a0c292d2c585bc4d5f6bcb705d0a78ca1be6332 |
memory/1472-959-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uogi.exe
| MD5 | 0f6b65746a08b05a5f75fd3e7cb8debd |
| SHA1 | 5b469df88ffdd3e369581bc8ddc772e57eb72728 |
| SHA256 | 2717db09fe4d0889a2cf060f7f2e2693f1a895d077ddb2efedd24c6aa953f022 |
| SHA512 | bfb9e5110f8307db9e6c3a42b49b3e0f955eae44f1c9831c189d2649385df17946e7485229ea42293b06ab03f72687ea68268792cddadb816703859bada876c9 |
C:\Users\Admin\AppData\Local\Temp\GooEYgMM.bat
| MD5 | a343ad5902303a96ce9bc305c8f98212 |
| SHA1 | 12f9c7952def1edeb45561a7d32fa947c6e37f5a |
| SHA256 | 1f272ce9f451c5976ccb01f2f3551dc6d4b195a1a80122946d67186d371f9027 |
| SHA512 | f95eba81a0812088e95afdc1e5644aecf23c9fd657fd2c295b7f4a9371d5c560ad7d9a51dd507b215d6e5fb2bed6b1bd21a084f17e3c50d302309864df181d89 |
C:\Users\Admin\AppData\Local\Temp\mUws.exe
| MD5 | efbcf1b7b19e98dfbf234ed1965ea23e |
| SHA1 | b070a59d76b3df107a3c9a0b94a219adf358bf61 |
| SHA256 | bb14cb904c68e3c0e952da0713b3f0340ddf55d50bc2daab5674478d018827e7 |
| SHA512 | fe4bc5349e56f4111c2313813e86850275fa4a3b7dd4d765a144b9bf464f91c12e666e2d4c4b77329b5bf3347599b6526a4084ad52b49b1c8ff1681aae43f27f |
memory/2840-886-0x0000000002010000-0x00000000020CF000-memory.dmp
memory/3020-885-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WAAQ.exe
| MD5 | d3304e14268101bd5654f293a22ce4f6 |
| SHA1 | 649acb108e1c3c6fc3de96ff4fd869d70600ba90 |
| SHA256 | 37b60ec98dd7556fa301440ee984c0812d4b962a590e4c2b56df46b3cbf1546b |
| SHA512 | da94b31beea24bf01bd5aba09b38e3e605c2238fbacf49beaa30e20f50e906561e62741d03262f3347e6803c473b8d69a2e9d3fc8d95d3ba6a9aa612e703e4ae |
C:\Users\Admin\AppData\Local\Temp\iYkk.exe
| MD5 | 099844682cd6bbe9ee874bbf4667f0fa |
| SHA1 | 3e238d8039986783b9378bcdc4bdb4dbd3933089 |
| SHA256 | 4a14e4e8237915dcc85ae5017ebffcff35cce477089c2a8d74f2dcd1575a7af4 |
| SHA512 | 605aace76c4cc3b1a0f14d07cf63274bc4a82b61a46fd2111a5540650ab5cd6a31298e2c0d80d2f2bf019f607873d4261f2d50b342d54d47e5b2e31a980195d4 |
memory/1796-770-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sowe.exe
| MD5 | 5d0bcea31bf9a3d026fc826c4bc4c112 |
| SHA1 | 5cfa474829c2d4f67c865ba8d1cff8d23e6d4d7a |
| SHA256 | da40fe07034afd99fcc68d317a868a74035ca8d2755956c2a9187f65ba44c247 |
| SHA512 | 91c5f96b5276a9046637f7070115da673dfa2200209089dc8ca980560b5da84c205d6afcd68dbd0f4260976449195c2eeaecefc4b0a037347f342b73143fcd24 |
memory/2332-749-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1572-746-0x0000000000410000-0x00000000004CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OYMwkAkk.bat
| MD5 | bab2017b1d26c7466fcf1e35e250c099 |
| SHA1 | d5f57ac6d54f7daa536138e4298478ea9e6aaed1 |
| SHA256 | 1f231015a01c1839bda321bf4abb6873c254b9dff4ce10b1742323bbb0d2b92c |
| SHA512 | 60830633742548bde33e467a2ac60a87eae06e9e2b6b1749903af523c6dd9c27bc2eae894f045d9c611db8c75b7a88d6fd37dbf590cd521a1b648609d13f28a8 |
C:\Users\Admin\AppData\Local\Temp\okAm.exe
| MD5 | a8613dda6b77fa30183a2800a8b2f8b7 |
| SHA1 | 62c4749260dd026b046b768cd788a4abf9845f03 |
| SHA256 | f8e74615928e02dd32a1ab428e4e4192c139542775f5ecd082c4e4adc82e3dfe |
| SHA512 | 36630fef699321784ff839c5d8ad2cc6b90a3e562ad6c1e03c88530b4f207dac50d0cbb90cd878b54e63ceb6bd708c7a51d724498813ecafd285e2aac8dd9c50 |
memory/2064-694-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YoQa.exe
| MD5 | ae9d6fcf77c4a8c2e76f00c3ce74c565 |
| SHA1 | 01da840be7242bb6f285fcfb6129c55f65878a68 |
| SHA256 | a78a11ea76731421bf185c05f2f23da8c23c32d920ffe277fa9c9e268482aa9b |
| SHA512 | fa9362dd36771eed5d9da58f1663650c33ce8191d92889ab6af5ed8e59373ae0e28bc5d95708c789154643c1e11cf73e2aac174b23e42390fa62726331c0472e |
C:\Users\Admin\AppData\Local\Temp\EMQm.exe
| MD5 | b0ab8eb6fc7c866b2d881ff922d81a58 |
| SHA1 | c9ddc555ec256062a8aaa3dc95644be13cc729d4 |
| SHA256 | 318368dd6b3a26a5ade6e13ab3fae00e97608ccec0124d09a2061ea015ebb74e |
| SHA512 | 5492eaef4454e418de94e161822079de6c98f3af4cf1c4d4b8e455e93053b64fc9450123148e5a0d0851f6ecd167eee239664e80fd916750c14ad7cf289a89d0 |
memory/1276-624-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mkMy.exe
| MD5 | 406704d81e69027d4c9de2ebeddf4f8c |
| SHA1 | 8d2ef79169ffb51be4d77d5f7fbd3135bbced6a0 |
| SHA256 | 285d1438e34612361e962de2642f31e68b7a22b24874e174f3650763dfb46027 |
| SHA512 | ff66a3396a31a14426fe0dc90db7377e4b022c8cfa7ff53b0c869397551c31bc85ccf29e5a8d986f9f5e57c94a9a769cbca19c7ad971f9497ddc42856de10615 |
C:\Users\Admin\AppData\Local\Temp\IIoA.exe
| MD5 | 6f399f60154743b60fc132522dadfc29 |
| SHA1 | 46df8029b2a66a615dfa44e5d3f9eaa4f48aad48 |
| SHA256 | 7afdbd504280c7a7c77e357f52bd3ffdaceff281376ca8457f1398c264fb47d6 |
| SHA512 | b31a2099d27e1d102a35a9e79261ce5c840619ea6293531926654c1cba8c98c7dd3caa4d1f42bf2cef462c04c0cb92f231d2c561f19a54099964ece0a170d6ac |
C:\Users\Admin\AppData\Local\Temp\aEgI.exe
| MD5 | 142b5c95f6a2a0156e4548326e794093 |
| SHA1 | b0d5b0978e558cb58c14046ebaefd7494101aafe |
| SHA256 | 22c5b851a777759096de1a57e7292d7ba2023689805114bf08c432f47648344f |
| SHA512 | 64c93fb6256a5373e4b6b1054e0b9c22220b105fa5e907b8b9db8588302b236d53a976e8567dc89ba6dc685174c1ded26d3a9a86a047257eeb8a595af2e78edb |
C:\Users\Admin\AppData\Local\Temp\uYYc.exe
| MD5 | 7def6c4ad65cc3db7939e937ea621b58 |
| SHA1 | 5ca4a777201c5d71942d6113dea3446cf98f3ffb |
| SHA256 | b96c6821a7d950cd04c39965498aa74dcafb1d3fa311e9e2fbea7e5e67c0fac2 |
| SHA512 | c67f71bec9b0025898096729d9735fe7a5dba4d04202cf00a9a8d5a5be91276f76139cbedd0efdd186158443aba5fea4c2162d1a465dc7f6546f4fdbb02a46bc |
C:\Users\Admin\AppData\Local\Temp\QUgi.exe
| MD5 | ea5f41defa2636e12a7e139773ba8d9c |
| SHA1 | 79efdb9ff4b7b84615691fe46c2abe517a6512ac |
| SHA256 | d4c6d7be8efc854f6d297d7e0eb362a15b726a93383d6893d62c56557e10f4aa |
| SHA512 | dd5ec85039508ab0e50b1e0f0272dfde436e25766dc5234726f4fd414d58b25ba8ab7e744c79b9c75a2b9367b0bdbd56d8be0812d82a134ba4f9ded0124550c9 |
C:\Users\Admin\AppData\Local\Temp\aQUE.exe
| MD5 | 6f4787a6f387e909059e1de1ac88105f |
| SHA1 | 20db53e1d42ac429b33ba75e5c9a6ac83f00167b |
| SHA256 | 3ea9eb5a7fa38fa35b45fab4418433a7d64523be4db71d7227d6093ed6fe6c07 |
| SHA512 | 0abd91af5e00d96361c7d7d85298d1eb659f47af26ec1de11dadadda7c44d4194926682e5ec5405b1aa15d00d95232236a4505a6801066067a35557a4099dec5 |
memory/2472-421-0x0000000002040000-0x00000000020FF000-memory.dmp
memory/2472-412-0x0000000002040000-0x00000000020FF000-memory.dmp
memory/1712-411-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mMsm.exe
| MD5 | 9844ee9fe272b64768b3ba7fff0bc870 |
| SHA1 | 76fc3e81c89c37950ae928b6c24dbc7e67f6b2fc |
| SHA256 | be29bce9b6597d0e2911cfa8e579c606c43a511d805cccd7d60d15ff7f74838b |
| SHA512 | 12524d8f2ee3e0eae500ac4a1d6132fdc66b6040ad1cbcd5e1170505c15d61763f8e6e9cdccd0754942e90e9684d6a7427a339c934ebb82ae639e1c7695957cb |
C:\Users\Admin\AppData\Local\Temp\McsY.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\pwwQcQEw.bat
| MD5 | 13894ed12bb20fed617a78cfedacc584 |
| SHA1 | 24be6ba6812c4cee262b4f0800e905d8d6f9ecef |
| SHA256 | 60b05e9892214dbc787d8e01fe2e662a03e983774fb722c7e88e6f0c95fe44e3 |
| SHA512 | 70b4e16ed7611b2cb6fed332e9b6af89b705793cc07e074c183269d8a04cc8f969b6cf25b63db9419a35c16c8838417ffa4b2de499735eb85e3aad3c1b525b46 |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
memory/2684-310-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2884-309-0x0000000001F70000-0x000000000202F000-memory.dmp
memory/2884-308-0x0000000001F70000-0x000000000202F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wcAU.exe
| MD5 | 056d3ce342072e4ce85811c46390a0ac |
| SHA1 | 555bb55edfb3d8e4c9fcb6cf9cf70c0cab37fc19 |
| SHA256 | fcc4988d05a1a5b0805dfcd2ddd43b1881e35ec9abe2c6efe7d9418830cf7840 |
| SHA512 | 012b8988207c88db7b93325c3f2ebebc58c2b7a3938a9297e829f673086010b4d31f621f250013b9dd94345b4ae973a021f2f21989d32abc7f8fa74f2bcf1fb4 |
C:\Users\Admin\AppData\Local\Temp\wckMQokg.bat
| MD5 | 00d1a443dc4ac3d42f47d4d909de0c4a |
| SHA1 | 057cb7d0741ac7ade5d5275b9897f58a4ec01277 |
| SHA256 | 40dac5a7ef87c6ac11c012e2ae4c1fca293fecb6bf1c5eaab0a45473b980b1f9 |
| SHA512 | 6111e7fba6e8ac2876a62be5620797527c099e3a5dbfa73a5d803dea26102347e38518e2d4bd3d69270a744bebce693752e959fe610a04f3c7c04f041ae72f55 |
memory/1504-287-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2516-278-0x0000000001FE0000-0x000000000209F000-memory.dmp
memory/2040-263-0x0000000000210000-0x00000000002CF000-memory.dmp
memory/2040-262-0x0000000000210000-0x00000000002CF000-memory.dmp
memory/2044-261-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/588-240-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/904-231-0x00000000020C0000-0x000000000217F000-memory.dmp
memory/648-215-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KIwQEYwg.bat
| MD5 | de0ed508b1744d3e7511acfaae5712f2 |
| SHA1 | 2853d6ce6dec3ad396b23c7820605e6978b8d724 |
| SHA256 | 03e5aa055604d4e00fa014e867fea5315ebddfd4a45c045ad682db6350135ddb |
| SHA512 | 1bde2f2b1a52cd5b4a2e43f30fc51a5401764f03ceb1dd4dd1d21b198146cbe0ebe9e023b946a8d84cdbaee30a09a986ffdb61d6929cd3ffe7215c7bdde6c849 |
memory/648-186-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1296-184-0x0000000000260000-0x000000000031F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kAcE.exe
| MD5 | 01f095fa0c92a80760b6be69120cd1d7 |
| SHA1 | b1aff18c15a9e4ceb6b9ef42930619cbadb0c82d |
| SHA256 | 598eba58ab67ede305b14cb6ef7719d220068627f43f540c0c12cd97557e281f |
| SHA512 | cfc5a27469cfb9858c5e1c01349a94ee831b9a6c88beb233862b2e0b2f0c3d4dc181f937d9d2eaa6c86e8639c98ef812907ae17d84db7f2e8053e4eaf636045d |
memory/2600-162-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1636-129-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1636-100-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEQA.exe
| MD5 | 0212a0fe538b8cdfce7b314f496a83bd |
| SHA1 | 65920a4b9d98697b77693b98fcc3e63e27607bf8 |
| SHA256 | 5d057842bb56a5eff4e193997ccfd7bbeb11a9e1b396e9b18a2fa4c176436acd |
| SHA512 | 5e09c0e6c0d58e36c3de05945deed6e634f02052e2531eaef813eeb89140e252821b7d02f4ba9954ce636d387a1a0c272d405014f7eaa3243fcddfc2a93c039b |
C:\Users\Admin\AppData\Local\Temp\uQIO.exe
| MD5 | 4f477bc1bdb0c462c458ba63bfdb20d2 |
| SHA1 | 0a395c4f03bed8a0cbd269025aa2f4136f9b45b0 |
| SHA256 | 5bb552bae81ab3fb3225be442397ad0edcd78cf8c3367172d606d54f9d4c732c |
| SHA512 | fb450ceed04a945e2f744854926161fac64195a4492f532caf6dda6d670102710bfaa2260e47c0f1f9c9486e2bf40ba3a3a4be87b78fca893a7d7a012a4fc996 |
C:\Users\Admin\AppData\Local\Temp\cWMkIksI.bat
| MD5 | 8a699e9ed8795591e4a686d67d5428d3 |
| SHA1 | c4553a2058b91086eee337bf22efed7cc1b17757 |
| SHA256 | 8657c885accd863513b926a2ffa9bf5361533e887e72f39e4526a37312da24e7 |
| SHA512 | 5a6921c013a5ade9803104b1ec1491b04549a8d92ee98fbe20ec6b2f9677e2bc68b7a9c473f3933838ad7200348c40f4d2124bc6dc3a2baefc0fdf5af4e9b347 |
C:\Users\Admin\AppData\Local\Temp\wcoY.exe
| MD5 | 0d0688f9a395a1a3efccc3a2165d77ab |
| SHA1 | f03a8e15f6974f8e3b4b43a9754f4f7d9be59e28 |
| SHA256 | dc99ed5f2b5bde87ea30b820c9975f042a7ab1d772d5c03ce493bf94d5854d69 |
| SHA512 | f86fea33b3279c72606c9211d73188aab1e5b4e5f9f71a067b11023d91cdb924920663561f01244de16d73868a8902c39491b866edcd3cd99eb504c9a18b08ab |
C:\Users\Admin\AppData\Local\Temp\mMgw.exe
| MD5 | 284653c1ee3b1443139757aac532a582 |
| SHA1 | 328478e8b8a26993df1a6755896777356556f955 |
| SHA256 | a7480244d540841c98a48d09daea58fd3ff6edffd59892caf02e489c56a33469 |
| SHA512 | 988eee104cb17fc41cfeb4caa2960986e76e31cb40972dd44b87a03dd2fbce2f24c5776bbb82dadb34f203e3039a85028ff4d7d9f6d6828712b998be1c7632ed |
C:\Users\Admin\AppData\Local\Temp\qyoYsUEc.bat
| MD5 | 748251753194699d1d1991368da0a592 |
| SHA1 | 57b89faf87767bd0f70c1f69ab7b973393a0a33e |
| SHA256 | 44641568e6c984c25e1fc25fbdf9a077f27569713cc2af8ccccb265cbe9befed |
| SHA512 | 919e320a409eb84c96bfdced6413af500936dc1543217df7494b49920ec3422c5610c92bcf62ea9da6d38238924f727f9bed748f11673dda2cc48ba6b6d80577 |
C:\Users\Admin\AppData\Local\Temp\asoo.exe
| MD5 | 0e401242c7b10f799762dac38f4611c6 |
| SHA1 | fd2eb671990ef7557d6e19f1482dca683488014d |
| SHA256 | 4adbefc495994b66df146fcc0bc12bd5338c06ec32e283ea4b7ec9d29ef44e77 |
| SHA512 | 16232eb3705a2324aca4e70afce3bcf61f1199f45d346a09c8f8a2c9bd08ceaef7721a8d8fb892c23422c4c2c9c20aa4dbfb77823f0e37a5c8cee9a66bcf49bf |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe
| MD5 | 6c0e83e5bae56c1215244bd9521a92a9 |
| SHA1 | 3627493b5ef1aa9a145e63b62e9f0eb6cbccfaab |
| SHA256 | b0e3531e41c2b2dd40fe2a2003712613ec470a2d640d6f1356f4d24f1194cc3d |
| SHA512 | 1942184a81c01ce983468d4376767bd98a02ba5692dca92099505b2cdada3215ba32f0f7f2c7c90a5cbd8614671e8cf4de0f93b627ddf46fc71aeb0173bdfaed |
C:\Users\Admin\AppData\Local\Temp\QUoa.exe
| MD5 | 90c3e0685e6a78968424e90475f589e8 |
| SHA1 | a0372bab3a5827ef5b4a295132b2a05f1ff26d29 |
| SHA256 | 846fe7fe4cc822efa329b50d6d8a9c3e33a4da8ea68dec16be4e59b02c7b2b3e |
| SHA512 | 7de341e71d776da44a50352f2606b03702228503e7bf02ddfdf6422452b34a96f1ab888548a1c7ed77e58f673f358432aa0c9039621925c3d36234a0a104ffe1 |
C:\Users\Admin\AppData\Local\Temp\RQQEcMIM.bat
| MD5 | 7c7af988847247ffe739a4947e7ba033 |
| SHA1 | fd44a8d48d4d31b3587160e41fe5785cf6412c8e |
| SHA256 | 67e3d846766de86222d05c7d91462578ceebfd4157ce381a6495e403a639ba3c |
| SHA512 | 67af3f43e81aaf3c3663bd2781422a34b9c3c28d23c6c669397954b9395b863404d726c7796ffb3b4143cf5389e7052081e6f2e1a8e591fc3db0e67df1a556a3 |
C:\Users\Admin\AppData\Local\Temp\mwgg.exe
| MD5 | 7e1668381afdcf11db8993beb355b031 |
| SHA1 | e09e3f0295f06341262b552dae8fe20147ecc732 |
| SHA256 | 7cba6d0508873a17aa8f54f8d7bd9bde7f2941e0543249a8e680a0cba35f6386 |
| SHA512 | 5f56c30ea8118e944560f43d48d24013f465262c44560f83efd23e4816499b79326e37254fc422954969212339495fdecc7c0d20ca31eecd3a244a735b00b667 |
C:\Users\Admin\AppData\Local\Temp\uEow.exe
| MD5 | 4244c52872ae889fe57547ffafcb9a79 |
| SHA1 | 093c2f928b61ef434cc1c364f78d67c5a9251b15 |
| SHA256 | ec9fdde7911e486e43ad21559ae37304f96eda9e6bbf509def6a63974428672b |
| SHA512 | cf4d65eb3c0b0b75cf548483d3293ee86cbc7c31c21c08041e461ec8d889fc00521fc702ca95c7315a49eb35deff81089acdeaa466b8d8613895f71907f8aeef |
C:\Users\Admin\AppData\Local\Temp\OkoE.exe
| MD5 | 00667d55c0e5d11694da8c06d89e2513 |
| SHA1 | ff3f95397cbd36dfa75746e1febf04e049eea6ed |
| SHA256 | 7cdd3672849307d108c2da6cb6285236e38106c582b792cdd6e82358ee905ef2 |
| SHA512 | 10d989f8c7854d67bfb24a118077d18fe395bc4bc1e644474511ccc403279d1864375348b46774e21ee9775fb3eeca2903f47f07479dfc358bc93708662a7df5 |
C:\Users\Admin\AppData\Local\Temp\pEwIUwkE.bat
| MD5 | 55ee243ee3d45790bd1d4d680f281357 |
| SHA1 | cd6b7d4701db0b1ed8a8494d9abe52d9571637fd |
| SHA256 | e4703da3ec9efd8e19be01e9811b1a397cfd61d46ec0dd51284d4ccdd22f34a6 |
| SHA512 | f1bda06442c455606b0b5cd1765a0571e9c87bccda3ab978a2acfe9373022e09e3c01e593a62130544f28c39e85c361b3657591129228e42abd3852013bde4dd |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe
| MD5 | 535e96b56d59f60986fe3b09886b82ac |
| SHA1 | 86987d61efc3178a015cadbc205e4c9db2a7954e |
| SHA256 | 6261853059ec71865a356602ee0126f3ef91a323627441ce556d8297b0cac566 |
| SHA512 | 4b57a3f6e5037a80fb4e3763248d5a3923d3d63fabd74f2d0a88c31af8db5df425ad1e7ea2e71c7f772ce3c6d94ca8d3a97d97e5b39e170bfd87cb448336b1a2 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
| MD5 | 686af73893586c574618d8967170505f |
| SHA1 | bc0f82203ab0087c0379917dd3370b739024f8b2 |
| SHA256 | 425618d8035cedcba34acbc87f2b22421f357e9e4dd952087fbad2b01df50bc0 |
| SHA512 | 30c39720de32eb783a0803e11ccf8222313b4a5a792d489f12ace55de4b83a3ecdd874b3badf61a9f4072c0c991a56085086fb9e2d4896060f5a5ba8620dc183 |
C:\Users\Admin\AppData\Local\Temp\SMgI.exe
| MD5 | 3fc51d3a764ff3426482bef600a3dc28 |
| SHA1 | 390f9b8c7c8980db5660ff1a07cfcb9d69a36264 |
| SHA256 | 1616c02e9d7dd456a113d53bbec14c76397aef6225323d0fbcdb755e57e5e5fc |
| SHA512 | 9ccef2569bcd7b849cffd6291a1a5b3e27cdd42393cc5c53e263422f88f810f035496e5941926b388cc444cfb224b98653ae21dbfe58dd0675c790ce3e1fe3e3 |
C:\Users\Admin\AppData\Local\Temp\FogMskQE.bat
| MD5 | 0fa16c5172ee87160eaa8a79330c4acb |
| SHA1 | 79f0a161ece867b5414bdca420da179d7d6d2d8e |
| SHA256 | 06363001066222d87147e30b46ac97631d341c5a4553023eb2c38e59f7a855e6 |
| SHA512 | 292047ea2b4d3f70b2bd9d8c0a680a22972dc7e52489a2d254cbc6f349e2451a70a5fa0284f368a3cbf4d475ec9014a02bb4c81126ddf7851434eeda52552c7b |
C:\Users\Admin\AppData\Local\Temp\EckO.exe
| MD5 | 3c1698eda053a985d97b8d3cd894f0cd |
| SHA1 | cdb0c56fda0966a7843c8ae042b365b7b9e5098b |
| SHA256 | f87ac0f944e707122e43ce8f3fd02c53ab3abe6310189f8d9e33eb54e6839a30 |
| SHA512 | cc812ee88d7028904952cf2ac9d3282e7dfb41f83d5c865459d8517677249a8b85a371e1893eeeb0e6c7d90190e35be302cfa862f3f7385a7b510413f5131745 |
C:\Users\Admin\AppData\Local\Temp\ogQY.exe
| MD5 | 396bc819661f7dfcad198b2b31b6bd3b |
| SHA1 | 5cb8e90ef0bf44d99ed2529e010e24df00f7f147 |
| SHA256 | 53e336774b4bb588261c740e2d4e7b26cc04b3d4552cbe1147f4cddcfe33f2a4 |
| SHA512 | e8aa31312838933c7ec9bb282cfb3ec776f166a5cf1fdccf64a6b1e67c4beda379daa2ded5921d069a946e2af8a25fe41aed61b8ef96afd5af7e1842725a6206 |
C:\Users\Admin\AppData\Local\Temp\XqkwUAkM.bat
| MD5 | f9a3d5e9ddd0775f5ac228c63dbffad1 |
| SHA1 | 36834714dafa534db2ceb8598e8b87b5d5bcf0f4 |
| SHA256 | 784af9f05c0e00ffd1a58d675c7ebc9c73d1a50d2d7d8ec712628912c159d763 |
| SHA512 | a72a94f7ea1d829c92e4a90a4c80e26be6884d6cd8f6e6e92346779609e0ec06e23837386067382468e3c10b09f5e95d279e5c4865f31091c8a4e464b134207f |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe
| MD5 | 57b0df69304e8bd958478819a1c9f4d5 |
| SHA1 | f4a1461fb858a19bf8903f5e7d75d52cbd4b1130 |
| SHA256 | ad93b1dcacbaa37572e953857ec1bad07e3c3f167505d32a8fcedd6fbaec0158 |
| SHA512 | f02ca072e04d6bb21d985430e1ea2fc06c7cb7417afa3a762c28a2ebe4e3761bcb7b107f1888c09b0ed779cd741d1d6ee1195a8a2a7c0d352e11b83d81c98167 |
C:\Users\Admin\AppData\Local\Temp\KwEa.exe
| MD5 | 44971cb3ed05945909985bed96be9138 |
| SHA1 | 5d067bf613df1e2e715c340ec62ece7cd043db0d |
| SHA256 | e20ec7440a0c1e46990822794182099186c0a51e06545b48bcddbd746f9fdf0f |
| SHA512 | d050fea401035129617caec6f303b057099fffaab155a8bf4b83c9dcc5c7726070ee6514fd3a39d63d58d9a030e0c03b2fff701302a661a4d6a14e26e2c8197a |
C:\Users\Admin\AppData\Local\Temp\GowK.exe
| MD5 | eaaff65c32cfe4f0e35092fd980af6e3 |
| SHA1 | e7818378fbe325fcd17c476f10f0fe7210d66015 |
| SHA256 | 944fc51c46e9a120532d40802b08f695979fa8633fde2f5d76af445d4aeac6f0 |
| SHA512 | 43ad9537b2b241d004c91af1df23083c79e2337507d07b2fa50ddd4bc9be18d31f8a0b30cecc0f6c9595450a3008829d20356dfd35c2591c7ffc0a8ddda0163c |
C:\Users\Admin\AppData\Local\Temp\zKcIAgAM.bat
| MD5 | 0933e5dc022243b8a07fc6b2a34c0612 |
| SHA1 | f6c4e1ca21fc775b82958f745bd172cb89686df8 |
| SHA256 | cfdb2fe767d53877f66f5a37b4154ea597c8244496ad48d224d5f4b7a31dbba3 |
| SHA512 | 2b353b84ccda4e348dfd8c06ec2ed1fc395f84888a16ed64b968d2ce1be6fe97a38f0d38fd50ef73db7750a80276e029240cccd5ae01ec536e99ec63a3203e29 |
C:\Users\Admin\AppData\Local\Temp\osUe.exe
| MD5 | 898941a56bad3e324e4cb1324ee2cb17 |
| SHA1 | 04a09def5ad66dfb55bcbb38fe4822f8ae68f469 |
| SHA256 | 1af865d25adc90b06eb6ac2cfb4333df9985f3e095e69dbf65a757b46e8b9375 |
| SHA512 | 426828bbfa8679bbcb950a0ff7da213dd555f60c6c278d0cf571392fbef1ebc6c3b51199c761d0e0cf4b1515dd69de6efac3577cfc29780ad7d12f9f72210df7 |
C:\Users\Admin\AppData\Local\Temp\kYwU.exe
| MD5 | be3933fd59b42f2bd72d2514ddb5d010 |
| SHA1 | 2fa21a48e7c104b150807a2d355c64662f8ab673 |
| SHA256 | a7ab168425f5e7d3ae0eb6314243deb914381ae3e3f5b1dc681874e880ad1e3c |
| SHA512 | 5a15d1d377c37cdbbe432b215b3858ebec50a507561e98a9d91a8f0ac30dd19217077e25c4487f037b1a9852c29dff4d243346bcdc9dcf95c55ca5a988306099 |
C:\Users\Admin\AppData\Local\Temp\vWUMQgsM.bat
| MD5 | 626268cef0865bfce17ff2fccff267a9 |
| SHA1 | 4d7e2b5614e7d40a60f1669dc23fdd0a96a52d19 |
| SHA256 | c31a487afe4e4941e82e1d56a79ec861b17d70a1fa8d086b3908d203d94c70fa |
| SHA512 | 1b2cb48130735645c92471f27542eba365b6bb5627c7d7308b749514b26f6d6ebd7ba8cf3abcb385ab8e2b8bdaa7757a47639fdbe37eba5ea3b990d2c90e8975 |
C:\Users\Admin\AppData\Local\Temp\gAIs.exe
| MD5 | 6e23a4a239b38a8e7cc1dad932ede76c |
| SHA1 | c61f5f94f9aba42f4e2d6ae6da085fb38f2babad |
| SHA256 | 4894ab2fb5d0c85b7e051fd936b082f54eb5fb1cf49d44b0842fdb5b6bc382dd |
| SHA512 | b1916305bd0147e0c8f4bc28d7ffcfc92ff147d8d0385e5d5df24f592948f4c3dc13c30338122536ce1b9006d657da19accee240153906e0ed63c8d25a84d70b |
C:\Users\Admin\AppData\Local\Temp\UUEO.exe
| MD5 | f10f858ba7091cf803f271d371cbe796 |
| SHA1 | 8f4d631360fcabdb811740f4a704e2b3d6b49109 |
| SHA256 | f745559c50644b5b33bf37b28888129f63bfaa870e4b4f53645e7a4b85b757ff |
| SHA512 | aec6413bbd40387fb877af368204475a93c94caa924b9305448e818ec341a6140aba0723a62c0c9be738f27815e10e73f27e538417951d65c06ed7cc5eae20c9 |
C:\Users\Admin\AppData\Local\Temp\QQQo.exe
| MD5 | 5cb58fdb9a9535fecd05da44abda3ecb |
| SHA1 | 64741b6ee0238f8a22f2f840efee74c4cdd233e4 |
| SHA256 | 73319a42c5fc5a6ce12ee9039d8471df03df7cee5fbb2358177634b5db509b4b |
| SHA512 | 511940dda9cc7f4108530063c40109d4116ab31d447e9fec4ca70e106fe0eb1864f592e69fb552f80b8be461d8f4746c11714a7490a4fbbc5b2b20d2002b199a |
C:\Users\Admin\AppData\Local\Temp\YmsYcUsw.bat
| MD5 | f0ce7c4622d2eaebca202d9708736946 |
| SHA1 | ac92f9ba503b2e4a026a13d5313928f673463973 |
| SHA256 | 72eae5261d3ee619e690d26cdb86b8b089ad1de871292061fd1c0d2cbdb60328 |
| SHA512 | 05c2a11c888557ddc9bddce5d60eede23715793ee91ea274c409685fd5001783e8d530558948ba4568c1d3472a2315774a065daf8d272ad7f1fd04c3d50785fc |
C:\Users\Admin\AppData\Local\Temp\oYYsgkIg.bat
| MD5 | 5982982c5d077c960d1859f397cf4f71 |
| SHA1 | cf34d73ca8004210924e33783be7b5977c8865ea |
| SHA256 | c107b96b32f9e4d0b3cfef66237539978cf181d961ebeabadcdaead347c0558d |
| SHA512 | 519d2791c72a3f1d12bc48fd7e3cbc808c155fe8f6ef9db671bebd9c74c144b821da98a573888a41cd7ab0c8f08044589486ad0fd1c0d2fc6ac61ea359bf258f |
C:\Users\Admin\AppData\Local\Temp\GkcS.exe
| MD5 | 6b681186095c5832365f171d1d22088a |
| SHA1 | 62826f5dc306f66b8b800a6b16ac4e7e9369eb2a |
| SHA256 | 3eaa4de005f9a02b7929822489734faad72363770a2bdb16d5e68b1c6186676c |
| SHA512 | 05c3240dc6c71aa7bc4ef480e8531ef086f45df67915a0a5a76e6ef8c1fe3851955592d5543d800e359daa5cdd0d56c06ff0769eb9808ce609d7e93b8376571b |
C:\Users\Admin\AppData\Local\Temp\YuQAgkgg.bat
| MD5 | c0c862e331b6173a4dcce4a8df181100 |
| SHA1 | 386d8686c37e458964b55b07c69fc4c3a8fcfe13 |
| SHA256 | d2370c2c7563b053e44666e01bf878e685fb6b87f346c37fea2685001e59ae0b |
| SHA512 | 1a0f666a86753d1a4808839d65379733194bc7f0d43c1b913f4703aa8b24201c02a13657b8559bf66cda859b1c039ee145a192a6e36b27f11fa50065510ec931 |
C:\Users\Admin\AppData\Local\Temp\AoIs.exe
| MD5 | 80930f5fe3caeeb6a355e9aaabdc9507 |
| SHA1 | 20fa874f236e09db384d3ecb833c69d0ed6c8190 |
| SHA256 | c0df93efc57f142c7713cfb6befb025322ad916441efb6c4cda770b8679a946c |
| SHA512 | 03f1953f5c1d2f6fdc2a7ff06c078c2f77fece7264641f011deb242ceefb7478d64e720de656a3c043dd3389e339df596cbc8580d8e19c446bbaeca662e90afb |
C:\Users\Admin\AppData\Local\Temp\AcIg.exe
| MD5 | b52b1cc31e3e181d6394cd42bfa2f9eb |
| SHA1 | 8ef26ba4ec78fa5f32a1e92d83378334941ce794 |
| SHA256 | f2216294c6e7ee4aa08dce03b16485e5e732e6248d3fe534eb2367817ffa6434 |
| SHA512 | 1f438a60c69bcb5ba465fbc4a81f79cb755cfec4083d86d865c827b9c014b45d4e20b820941fd1c05174e7dbd53b865b3b975d019bd1081c47838e6eada1cd40 |
C:\Users\Admin\AppData\Local\Temp\McYkYcsE.bat
| MD5 | 188d654b34dd410c1e05edd322e70295 |
| SHA1 | 2c819f05468f9bd6df611493d690e96ed55b073f |
| SHA256 | f9f8744de1ffb14c5559666084f2510b8e99cfb26d06248cc734f4b5d097170c |
| SHA512 | ca3faefdc4dfec3bcb1d4006231147818528a27c8796b0ddf24cc99d6c7cc36893118f2cf4d1dbb127c5deba2d4e72350e3b48fffc00968296dd4f9cf9ea663c |
C:\Users\Admin\AppData\Local\Temp\mUgq.exe
| MD5 | aa633bbf5f4abf4acab6b5123080ca6b |
| SHA1 | 634110a945c66c607bd79025fe89dd54f2cc77c9 |
| SHA256 | df0adecf22aed76cca7bc6dcf4b41b3965059b5487688e5c6a77fe8e80528578 |
| SHA512 | e64562f5ac16f76fb4a03d2fad02fb4b1ea3b12ad3bce3082e5d222832e29dc313486de52bfbb6ea505e74f58a98ca2d7338fa37412657ced8261ccc33145cbf |
C:\Users\Admin\AppData\Local\Temp\mIgc.exe
| MD5 | c5b493ce281d0d2a62b7c191ab9a398e |
| SHA1 | 1e9fe0768d847c8fddbbd4b3880b0db83eccacee |
| SHA256 | 821b5ad22d884d282003d02be0ad334488a39d436f0936f5c6332faaa0781bd1 |
| SHA512 | 37671330cfbab93d0d847c53f2da28bffcf4801f4a03368c2aa5845aeb59f166eaa503911e548f8e9e4df43230e5e769fa0537190ce4330be4ea2386afdcaed5 |
C:\Users\Admin\AppData\Local\Temp\kYgk.exe
| MD5 | 65c46bd3c219af42c0e61dbe34e26554 |
| SHA1 | 0777f590b7842d834fe4edf18e8ff8d1129ff52c |
| SHA256 | edb409146e3488491e0e42b4cc5f45b5ff2ae0272a0fc9de5259c5f6bc06f718 |
| SHA512 | 73cb1f2cab5816be07f759153ee19d761cd2c7f8e16b193009d368825d4971cca0120bb330329447868bb7b7485adacce4965aa8786474c49b1eae0998220150 |
C:\Users\Admin\AppData\Local\Temp\PAkEkwAg.bat
| MD5 | 9349575a66d4a65723e28f19ffbae75a |
| SHA1 | db7b6549c6052aeaa8c67c4b9114e2cb69e027da |
| SHA256 | 98e33da9e0f39cbf63161422ef22a23db97f1ded54d98a5a61be470edeac8d3d |
| SHA512 | da0b49b55051f7549d9e3066849d61f37234fc9699324ef7bbbcd3d7dc9b3eb4ebb04c4f9a78909b1b65e6e7e31771507decc56fd9a1ec9f26414c35b30c82aa |
C:\Users\Admin\AppData\Local\Temp\eokm.exe
| MD5 | 09aaeae69ba39239c892e6e5c89793b3 |
| SHA1 | f270ccc83c0bb125b9456a72910490bd9a43c323 |
| SHA256 | 90dc4092f8696d521ca5890d2995a0a89efe6a3ecba9c527573ff6202b88f51d |
| SHA512 | 72170bca6fc7adfdcb5f03e99f4a91619203a6f1f8af3d788ad536caab760ce96c90096a36cad08556f2df0d7c73a570f9559ba88e6f9ebf121b4b037f6aab62 |
C:\Users\Admin\AppData\Local\Temp\MckA.exe
| MD5 | 7200478e4e0ee2d1a65674ea3a2715bf |
| SHA1 | 1f5addea1b737a1d1b1c9656ccb7f90873295ea3 |
| SHA256 | 86bc61c822f0ff8c4268aacfaa6427d572cc16d2007fabdf69a052b4550ea278 |
| SHA512 | 37ccb5148137a3047cbf4de9ca5509ef3b91b02725712701b0aaae19c7139b73d1144afe049644872e59e3ece3aecafb416f7f93f1c373704e702b2c27cf302a |
C:\Users\Admin\AppData\Local\Temp\CwEY.exe
| MD5 | 0d0c0b9f3e153c325065131030009103 |
| SHA1 | 84cecabcb9c68b43e81c36cecd7cf27efff3ac0f |
| SHA256 | a2c19855a4cbd3c47413d0924508268166ae34b0a1eed4a564505a05fd51c536 |
| SHA512 | 09e054de5d3c8c0b1e468cfe277dedfd5429200ab02d47703c220c0b49da6492d2e283bdd63e72486107dcdc6e83d2df5a8508a614290262f86a15f457e6138a |
C:\Users\Admin\AppData\Local\Temp\zicYMwog.bat
| MD5 | 6217ce7b2ed5cbd3134c4872b4621a5a |
| SHA1 | 785137df5a44243633d4c5c40e14878ef01e9061 |
| SHA256 | 4203c83db4622af617cbb98249b02fa9b3b6cbfd230b66f815705641957c0153 |
| SHA512 | 1a8d7537e8e07d26a2f836d828fa293ff75402373837ade752ff760ead14aaf48e6d98b083283340aa9eabf6f96de38c8c3cc420fc4274bcd12f18e62ed82454 |
C:\Users\Admin\AppData\Local\Temp\owkY.exe
| MD5 | a7d0c81de7c901a94179b0d1750d8f96 |
| SHA1 | 096a830391052cabf256974aad26a55ed6e2fe05 |
| SHA256 | c42986a29946670396456eb80fd60916ea8dbe7a55f02963eb57eb56adcbec7d |
| SHA512 | 35d0da719878b32414cb3af5707753667a76f61392cf656797404229b0eb2f826b93676b1789909efe202a150ae66fd818674d2113e7d2271270d412a7b61419 |
C:\Users\Admin\AppData\Local\Temp\aAwQ.exe
| MD5 | a741938e62b692454ade62ad92b276cb |
| SHA1 | a8479fa9ba3fa82fd9b80372c84321a27fe21f83 |
| SHA256 | ff9aa46c487d74e00f458bbfa061062da11fd22d3a77e683271013c1900decc4 |
| SHA512 | 2e9710c3dfd7fc74b0289a95f6b46ab2c7081593bb27a3b3441af3a42bd80a4b8ff793650753a7dc0affcdaac401348a6cedc8323a2d33bc6ed1e89f3360e2a6 |
C:\Users\Admin\AppData\Local\Temp\BQMwMgMM.bat
| MD5 | fa29952c04e6da348d85e3dc45153306 |
| SHA1 | 57ffaf3c561f3987b7a785a67bd7f4da42dd238b |
| SHA256 | d7a1954df3d3ca1c28deea261ebe8ad43d6c4e981cef3f72682a941d3942f4ce |
| SHA512 | 051a07d0c66c3f09a1c86a5af8656d5b2bf4ef52f09f7bab70fc39401f5fc1bde52f87b9e1d1d71a205c57b1059e46212b4c536716ed5b637f65a371b1919574 |
C:\Users\Admin\AppData\Local\Temp\TEwgskMs.bat
| MD5 | dfed37c96d94ac40aecb86019d53daa1 |
| SHA1 | 327f76139caa2a8f91dd9b43d5b7b349000af1aa |
| SHA256 | 781c88848319e3b4d0c7dd87fad87975eb66f2e07fc51a09afba512ac00e27c0 |
| SHA512 | 84dd7853926415179f906077fd0a889e52c53734d952f638149c3c1878ee0ef7f6275925bf7a2e2afc8dd3d16e743266291131ba7864fadda6ad7d99bf386fc5 |
C:\Users\Admin\AppData\Local\Temp\AQUAUsMo.bat
| MD5 | 136690883ecab2ec4d5ec54d0d11b873 |
| SHA1 | 1eff4dcb23029bdd781e817d596ef69f8446176c |
| SHA256 | 0dc24292c50f616e6e6300d5635e18711ba22c8a550b70ac6c58686edcecb9e4 |
| SHA512 | 400d49a215d9c1274478071012140bfb7a12a6bd34bea93aa77e0dc768492bb7bdd8b0cb11899e6aaef8cc3a7e0c38721d0b5e8544b3b7580d9ff15f7b1de28c |
C:\Users\Admin\AppData\Local\Temp\CIIAwIwE.bat
| MD5 | f3570010c6e8db4fef2e8b52864815e3 |
| SHA1 | d385b1075177bd63a2acd5b6a2ee23c4087b6d57 |
| SHA256 | 25f5e445d9a5928c67d9b8623dc146d726da8d3d50457976ac15dcf915c2082c |
| SHA512 | 714d81e65ec08ab364976d7ee14beb166672e808420e7d9284693c92b63b9382fdffbf794aeac8ffe767617d821094ca197ebe279794774aa58fceffabd236ea |
C:\Users\Admin\AppData\Local\Temp\SyQcsMYk.bat
| MD5 | b86cde700fdff09e0147b66bb488fb8e |
| SHA1 | cf06b0d972a247ef997518ed8ada32de4d163636 |
| SHA256 | 1c1b7e284531260abdf8f522e998af83249ce487a70a610568b51931c9138041 |
| SHA512 | 583346ab077da3888230a1a916d703dc08e86d3b852a02b6bd4dca3471fc9151c4ed25b96ba08a2d4ad621e0d7ba2d8d9be00d6ccae76c1e464b92680e1e2bfe |
C:\Users\Admin\AppData\Local\Temp\suEsgMgA.bat
| MD5 | 7eaa0594290252259c36650d51428e73 |
| SHA1 | f67b66dfe4d3636c3556112aade7183146a466b6 |
| SHA256 | 36029946f40497d0b910f7298a22645cfda26ff1f1b2f18426b1aed24cce89fa |
| SHA512 | ef19c40585aa298b00c8421a1a1734c247d3785d087ae08902225b761c4559b51d8aafb40cabb24dcb7bee8905875604cad8ff71b76bb29e737b2dc691e820e1 |
C:\Users\Admin\AppData\Local\Temp\kEsUUkIg.bat
| MD5 | 86bfecc93406f3c1b0f1d4003b3fc1e4 |
| SHA1 | bb6d0ce8da06bb8156d7d7b9d0c7bfac84bc2183 |
| SHA256 | 54f4c9b63a7008fba64e982aa92fad52d673da423702b24147b34ad00feef205 |
| SHA512 | c7270c10f546dec8fdcac7d5bd263101a3708b65b7cc65b6c07891709cfdaad863357af8728c9417779e6e379a6e81fb16dba9059a148065bee1737da582f652 |
C:\Users\Admin\AppData\Local\Temp\PsUUEAwk.bat
| MD5 | dd6162040f4a404f1f1a05c56084fbfd |
| SHA1 | 90bffe2d4010f5c3df37f2870c0fa69af539d957 |
| SHA256 | 873e83449d84b55afc7541e6c8006632cb0c9ceb26ef93f254be82642b5d16b9 |
| SHA512 | e573801b6617ec60ba03398323a4612d0a7925355144ed6fd6d275b1361145eaadd238845aa242be22f4620e76c9c4f5a54b12002deb54b97c34bdebc95dd5f1 |
C:\Users\Admin\AppData\Local\Temp\TOwkcMAE.bat
| MD5 | 1145c31a202bb89aa34b2ec334c22485 |
| SHA1 | 7330868aa661dd12ec30e27f57ad750c5cfef123 |
| SHA256 | 75f87518f675451aef751214008731f119e3c269c840953e6cdf8a41cc65c847 |
| SHA512 | 5c36d34e51c10e7c3cbfca7fc810cc5533eb6f379ef234fbce749beea1009195c0e5a79fa0e60df60842c65ef3f5287493e40cf5ae1dbc4bda8c01d8902f24ca |
C:\Users\Admin\AppData\Local\Temp\PKcIcIgs.bat
| MD5 | 1165129435f25eab6c4b2475352f5367 |
| SHA1 | aa7e90c0e285e1d34ac9ef60a5ce9d2d06de08c0 |
| SHA256 | 651abab6dc3a3c662248641a57108f2805b39c69981ca94e9d0928a60a787af5 |
| SHA512 | 1ab553943a4b7e9bb5e8092c8c3959548da05e76db256e14eb0487c971cf47037f6e0c3f14070eaa61b64eb20f84034eca46b71ee11269c08ff973d05ea18df9 |
C:\Users\Admin\AppData\Local\Temp\TukIQosY.bat
| MD5 | a6d1456677b35157bd4d64171ed6a821 |
| SHA1 | 50e7e80d19d80eb5d0016c38a772ca8b20e4f4fc |
| SHA256 | f9652c32a7ca1553e066e96fa3c66f6539666df3a6cedb4deacc390fc1469fec |
| SHA512 | ad215912fe2bf3fdf3ef791a4f34edb4f326912c009315c04e86bc4e8117a43d217486e1dbb8788b351efb755673fdcd562608577a8fe390397e2dc5be2b0785 |
C:\Users\Admin\AppData\Local\Temp\NaIYMoMg.bat
| MD5 | 59736fdb6cf080a20a97420060626296 |
| SHA1 | 4f01f873691354025f9a85ff0d8bfdfae08201ef |
| SHA256 | de2b5e0c520a6fa7a4aba3b162165ae198c28f3f3faa602f0d27fa02f2128f39 |
| SHA512 | c273b95504adbe427cff5b1c914c7be7ef649dd6f89d2991aff1915a31369a4e4ab9931d0b51714c88459143f3491e319e90832d01e16ea4db44a59fd6f0b975 |
C:\Users\Admin\AppData\Local\Temp\HKEYsUwQ.bat
| MD5 | 19edf7d06211d91e0257dd06e157b21d |
| SHA1 | 8a62310d9f9283fd8fa6380ec446bd6f54f73354 |
| SHA256 | 97640cffc8b10dc93ac3cfcb8122ad97d497620d126ab77a2be76f354d27c2e6 |
| SHA512 | 505d96b018e56edb8da991f0a7fd604d6c19fd67760af12d91773120f8af01a29db4587ec762005261d2861c2839ea7a1879ad861ee644d2074a7433b7e45743 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 02:42
Reported
2024-11-04 02:46
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (83) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe | N/A |
| N/A | N/A | C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DGsYccYQ.exe = "C:\\Users\\Admin\\zeYsUwQc\\DGsYccYQ.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XcMkkkMY.exe = "C:\\ProgramData\\nYQIAsEQ\\XcMkkkMY.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DGsYccYQ.exe = "C:\\Users\\Admin\\zeYsUwQc\\DGsYccYQ.exe" | C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XcMkkkMY.exe = "C:\\ProgramData\\nYQIAsEQ\\XcMkkkMY.exe" | C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe"
C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe
"C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe"
C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe
"C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsQgwMYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EckYAsYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqsEUgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgEAIUgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqcwYIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuAscUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAsAkgYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQkgwMkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIcUsgME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqcksYEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 142.250.200.14:80 | google.com | tcp |
| GB | 142.250.200.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4160-0-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe
| MD5 | dd386712b24ae972bd54f02a9b897c98 |
| SHA1 | 24b563087199eec069aaee9bccdf7ec2845b1aaa |
| SHA256 | dee247c60887a0999d0fe1331112d4f5c8f0b77d7fd88156e2853175c24aaa87 |
| SHA512 | e59148187dab8732d2682fc807e25b019e794e124991a340a95e54d0a48dd14a6814d50f1c818314e2cd02e1da6263a5408a8acaf5b4634e02203dc1db2b26bc |
memory/4824-6-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3744-14-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe
| MD5 | ae501a5cdb2c5c84f93ad659033ba911 |
| SHA1 | 456849f9993cc050f6cde2b52862ec367d659e1f |
| SHA256 | c4bf48d47b1780f578c184a78610bc37ddd6e2985a026f8b948160b4c8106989 |
| SHA512 | 8679651efd2577e20a0d062aec62f7c71fd2abe45dc2c6399f66c54b2b45341de4b6bd688408b177527b1a804a3f38ceb5c7a3fbadaf765521441325c9bc5052 |
memory/4160-19-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/5096-20-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GsQgwMYA.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
| MD5 | 28b1acb04d8fe32baff45c1c266cce72 |
| SHA1 | 8ac9f90b7db799ac7e420fabc44dead1531167d5 |
| SHA256 | 7fef8984fe1b6c4a82f5daa9754035f0d1843e726a7e03c1bd1cc7e2d3ef8dc7 |
| SHA512 | d02a70bc31d875e28d742388f56fc6e180e69bb69d463d9d02fa4e1db2529b6b4d194ef5bf75d66ae51bcb2915ae7cce4f2e0a9b7dae7ffe5fab560f6d1515e9 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/5096-31-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/4628-34-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/4628-43-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2152-46-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2152-55-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1496-66-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2036-67-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2036-78-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/3676-89-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/4628-99-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/4928-101-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/4928-112-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/4384-123-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mkYQ.exe
| MD5 | 94fd346f25c04ee78ac68df072fc808d |
| SHA1 | 7ab339ecdb5dd4f61708de85dd8ca824d63c6b31 |
| SHA256 | 89f35588b12451718857eae26a68ab5cbe8e3b3a1c94518d687481aba247deb9 |
| SHA512 | 9e4a8755d74a46b2041fe317842f0e96359738e29a0b280ec00764dad0536f039ffd30ddeddc38b2107025c7f6c168d25d88f3bb0a1fe835e27dc914bc2094ad |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
| MD5 | 6d96b7223e8451989dcb4925cdb1d7fe |
| SHA1 | 0d4a1e16294305e4809a9176b731e443e4f51f04 |
| SHA256 | 037dfb4a2655c7fa6fee52511c6c1db855228652cd05dca53fbe116e6f1b9453 |
| SHA512 | a4cf5194f0c1d637ab877a23ccc5fc5594cb511f492c092e82f9fbb12e9dcb07b0aa08f20857e90f970fc79299735e16790bf8b8dc97844886368e059b4303dd |
C:\Users\Admin\AppData\Local\Temp\YcUG.exe
| MD5 | db3ead72b8b1c33e29716e5eb6377db5 |
| SHA1 | 45bbd0daf5d0c2adf86d86eb6a0ae2560fb11501 |
| SHA256 | 6a1793dd1798a11b9e9b8417997627f23a93e00510f48b5699c4ca4dc055d57f |
| SHA512 | efa869a0c6ee8ed9dd8a57b39333b551e9068a493e42e2a1ec9e0bdb9ca3c772ec2efa7608aa5542347c7ed5dacf14d62919178095c8f6209c3f969a7d53fcd2 |
C:\Users\Admin\AppData\Local\Temp\aQUA.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\SUkK.exe
| MD5 | 6456016024a68091d00b309c0a9baba5 |
| SHA1 | 0a28506ad200ac92df00d39a78851278297f89fc |
| SHA256 | 5a5af73b14321eb6239f4b82261331bdd36035730ba9cbf5651406ed13eca96a |
| SHA512 | 57a9e652d9260bab33d4e6245e2175c02e2454d80aacffd4d58d1231d1eecf2c9e5de564c3e057841a4740241431374824af242447d21ebeea1b4d1114f953ac |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | be861d24667041b95a0527ac565a0c34 |
| SHA1 | b968ec108c9ef43d96dfd76cd852b9785bf0fbd7 |
| SHA256 | 85beab556ee7090bf1c983f986f642c7cdd3911ce0be8d91d41dc946c58b8956 |
| SHA512 | 90cf3c5e218e2295c56a842f710eb8933d3c78b53193905ee333f13822d9c1c5de3381cfb94f87efec4dd698d44334fafea8023f36a986d714ded47a3b489cbf |
C:\Users\Admin\AppData\Local\Temp\CEQe.exe
| MD5 | c05632654f3a1cb0253749346af00eb3 |
| SHA1 | 9edae2607509ddf7af64dc4f5221393c91961fd9 |
| SHA256 | 0b8599a0951ec50d302b205f2effdd0b4725b2c6f4e205697627c4aa1d343ab4 |
| SHA512 | 7e63a6cfae41c96ca9738d18a6c58535c6ed9c2e984d78e289d9aa1ba62212aae97154a326bdec927485aac0750a2271f7aed03a4da735edefb4c333611b906a |
C:\Users\Admin\AppData\Local\Temp\SgYS.exe
| MD5 | a6ba59009ea504a1c936039eff16344d |
| SHA1 | a6a4ed074de8449eb584cf375100590052f938a5 |
| SHA256 | e784b6b1b0550816bedde0d2c334ac8de3822d9eaf0b15e4c9a50b2d92856466 |
| SHA512 | 4a399ecc99acce85d74af1167f8a790b2f146a922cd79751b57088eb766a119b30dd1bd5e869a5a4741db58ae77201bc663f2bfa15832b3e06fbe41f8c7307a7 |
C:\Users\Admin\AppData\Local\Temp\SscC.exe
| MD5 | 96fcb6d785185ba50cdbb62b4690f13f |
| SHA1 | 756fd171efa7d0c62cdd8bf62ab2f1609d04b698 |
| SHA256 | f007e08c9ca26b8a49a702862d4116a97ed7c44edab9855a636291a493645448 |
| SHA512 | 062dfd559996c0ebfeb8a8037cbad214844e2ec602b01000723332a344c093a7b60b6f07d530117441479287e5c50a4485b5e3fe5c494dd0f28b75f45534eb5e |
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
| MD5 | 339face22697640b84e614d65ac17caa |
| SHA1 | 5d223025f6325428a5dfd875239d57e812c20622 |
| SHA256 | 0499415b11a4cac8fae2a0f9dbf687654bd4b0266b62324f1df3d99934884c20 |
| SHA512 | 2811f707790e1c17a89aca52053f65eb97d0208ec703bc49bc67bed0d0fe22112aec4049c0a52319c1a77624a66b5a2da52a5918e122f4b84e3dafbfc92544ba |
C:\Users\Admin\AppData\Local\Temp\MUoW.exe
| MD5 | b04dc2055cefc5f9d02a67301cb9eaee |
| SHA1 | a099355945b614b96a3d37200d5364783bc84fcf |
| SHA256 | 3c1832d7f5fe0115bfdb9d927e83069c2d3bbbeeec2423f3a398e7b17f2ca82b |
| SHA512 | 288b0c20e52857827966eef6d133b9b9a902cd056ef021f9c62d61cde59fc739bbd81cc1f7c93fecb99e75d2e4826537c592102060260476ed7714f6460f1e17 |
C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe
| MD5 | 7cbdab42e6bc8168595c4547279703ab |
| SHA1 | 2143e63d4c1d141baef73a9a9c6de37e5b24f26f |
| SHA256 | 04d9573bde90286f7330d732275122d6b726fd1d1b4ff5109e4308bcba53ccc8 |
| SHA512 | a6ccef6a2a05cb828bc7b1f7d08bcde19158e6bf58cb076f5aec2b526aa6b27faa6ea8fc5d4e0ee13f38e4da8b8ab5ed2a60a11e61b25aa1148d39a8d69398f5 |
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe
| MD5 | 19392f343fa5fde373a3ba952dc524df |
| SHA1 | 26e8d3fff08fa822fd2c6ddc1fbbe333bbc367d7 |
| SHA256 | 5f7206483d332e951d92de3418eeb161e6f11b0108f26fa8e95635fecc171aba |
| SHA512 | 024865e657ffc202953283bbd7021e161aae399a34a0f601fd68456de21ee0128c0c6cb3ab74b2e34d96ff843aec2d41d4e3e94fb85cb50e7da03e06bf5f6a7e |
C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe
| MD5 | 929070e27e21e4a76eb24bf8b9c2ad3f |
| SHA1 | dae2d338d715a66336014d32e14a2ad34713c15a |
| SHA256 | 59ff169ac8ab5eab343a3a12301c29407bdbe61d62e5e841c48e8d30a3f377d9 |
| SHA512 | 9d14808b201a4364474c0e581ef2ea76ec6d680ce56abcdb3b1f66e1a3882b1fc117fcb24290d6745facd5bca8d59fd62c02bc69022189b27e1df30d0c215e60 |
C:\Users\Admin\AppData\Local\Temp\wQEa.exe
| MD5 | e62f5b01cc4b03ca833c2f4909086337 |
| SHA1 | 0c9b5358d12dab2ef6edf562e9574734c46e132e |
| SHA256 | 8bceacd979b1a7c01003fce41386d2e60ddb772406859b1dd26fff1fa3e1f77a |
| SHA512 | 45ef42cd465486e2e039f9d4c7ca32d0ff14a8d348b9ce57f3b2d23348c4e8ef77667e29b238d26fc5194f115e7cda201c5c3521f21860912c90dddd2deeb6cc |
C:\Users\Admin\AppData\Local\Temp\UcAa.exe
| MD5 | a2bba11a27c047bd990979dd7772f866 |
| SHA1 | caeb298d7c1bc9398a4929d8bfda16da2f57d7ab |
| SHA256 | 5d6f39a542333a08278d6e04363e8d8acba44254c67bcb6cefe482b685702106 |
| SHA512 | 33316133bcec0f7a088d0f356880b83f019e8170862a3cb4245845bf4f463624583d36463484efe3972141f59770d4c481ea53a30b3079d2eb922c463c2f5fa1 |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
| MD5 | 4ece2664dcc830d53830d0183afb0e50 |
| SHA1 | c3af73e8ec52c2fe76cb9e4a998a2255d3fa8b33 |
| SHA256 | fb9124cce0e33adbfb7b51e0547ab95f77907476aeddfecf724d750d50f940b8 |
| SHA512 | 4111659cdaca7a04f9816fb09eb2605f265e5531ad214cdf8fba204ff6d6a045782ff002844a2149d6283b435a97d205eabbec259a5ec69067cd386ed1228d0d |
C:\Users\Admin\AppData\Local\Temp\yYYM.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
| MD5 | b98d81d273a4489a97c00a151d0263d2 |
| SHA1 | 08fbf2bb90d2431d13b248364df17f58ed6dc7d4 |
| SHA256 | 27c81573469247fc04176fe6e887d5cefe9271e253cb882432efaa1e500452ae |
| SHA512 | f4933f6c11a4d2db2a1524df2d7377806fbf00cf2e529c1619186efb31558bde36466fe26752437c3aecf4c0f1bb3e60ce4d25b4989129abb377d2cb4d44ddcc |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | 634bed1a75694c6157ec22ec8c06fd13 |
| SHA1 | 76ca7f6dc80250ba3ce6690f74cb06def54a820b |
| SHA256 | 133c569dff73fb8635f0771f0880535cfc9025983c84edf72a15353a3bcb90c2 |
| SHA512 | b96e41aa59364aae9f3c9fb8b51487c5fa6b1265cf218f12dd488b4ff460b21137d0e41222b36af17a29474b4b6389420bbcb452b5db4f1834168525c9118f7c |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | 83e455f5a67090bab3aa4297ffbbcc9b |
| SHA1 | fbcab7ca33a1ffddea5e8a42a03f77dfea959b2c |
| SHA256 | 08719c230f702515a5e0283d502896c74211bd170b86ad5a6f2857d38ab24b3e |
| SHA512 | 1d67bddd41b2d6a5f924fccdda9410e841d8f1752a72e202566827328243ea0f8f6e1d26fbb98c3dfd5f1110713c22a7624ae777f36283008f9b6aaa9a7d6441 |
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
| MD5 | 2267396646bd0cc74902f99128f12829 |
| SHA1 | 22998de6ec72ceff83f957a9ab36413f016b2422 |
| SHA256 | 73a8b040e264736af70b2f366fad58db8ff01e2fb0e53a675e2dc303d17d2cdb |
| SHA512 | 453744ecac0d5901a290ff99eae826d6f6901acc80099d5fc3505905bb6f12cc105fc8b74318afe58f7beede232271d65764b86fb597062eee6f46540b9da20d |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | d355f1504d21386cf4915773fb54345c |
| SHA1 | d522027ade5196372b0bdf406c724797eeb5375e |
| SHA256 | e4596f4cc7cca88d794424a889d3df4a3ee1df4b26ad25396c3cd4500414e19a |
| SHA512 | a7d98d627a9328dadefea203e8cb65c019562515dac3b0b93d29728f64e2b89b09dbb9870c0088b9f4a98002b58501a986c44ca0e3276f493abb0c9c86e2c04a |
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe
| MD5 | ad7a0d5d8384cd713a725ed783eeb660 |
| SHA1 | 5285799b7c97a17df1ec7c699a1fa2e5c76b5062 |
| SHA256 | ea31c52462340a68883db4143b2c3a835032e13c4078c4cad1ab8952c89334e1 |
| SHA512 | e52cdb6aa26b248b486c2e8def9e2ec5f0ccd2836338a91b465d4e9e7255dee8b46ba3eaf967d94cbd40ef00d1bb6d668291770b136f1165299a6d2f44d6ff5d |
C:\Users\Admin\AppData\Local\Temp\mwAe.exe
| MD5 | 3a9454c5f9a27d3bfcc03ac8d5f23044 |
| SHA1 | a7f6078c430f9ba74c256643c5a1bada12ea01ed |
| SHA256 | 00bfa4d43697ec80e2e70ff778719ebebe1f681beded17db0789ad5423099dfc |
| SHA512 | e4803ac34625a96cafdda646aac7483238c576d3e97637e0d2f94feeed8168389278ffeebf56ad2efcaa3196f66d6ffc5c6c10b6eec3e90981e32cad050edb92 |
C:\Users\Admin\AppData\Local\Temp\Qowa.exe
| MD5 | bbbadb4c200ea0b859541fa6e6a55f15 |
| SHA1 | 8183176c4a264393fa7aa2fea07eac5a15e14122 |
| SHA256 | 6d3e072d1863e2d988f2d4377170fae8c8b1b63fcb57ff47b34ccedcf5570101 |
| SHA512 | 4e96685ed75fd8e79b9f33ff5001c606ce3d139d6b4d4b5f31786211a4c84b063282227af7e66734742fe31ba0972eeafd86c62b56b01d6d2f8bf70b3a234465 |
C:\Users\Admin\AppData\Local\Temp\IEoq.exe
| MD5 | df9a20ea7ca96a9d5dd6800e478e846e |
| SHA1 | 91f27cffbca75d983341db78b47597504b4ecc08 |
| SHA256 | ad0f97961cbaa2f694b6f0012b106821567a0117e04d952cb432e49a67970bb6 |
| SHA512 | 02751d5772a713044d78cb01d3f5063e94b80c81f5be4e1681bbd3422e6204211030453be31591849b8779505f48154e0f99e239b7b56476ca6c4df53d147917 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe
| MD5 | e5f34fd66a2eb0b869add0735dff51a0 |
| SHA1 | 2bb7752a5aa23fa295548200cf06555518ca9b5c |
| SHA256 | f5cc01bc223295ae1bb78658e9be8dbe03bcc9b30654007944ee8d35e03aca02 |
| SHA512 | 236e11e222864f3a31618ebb70e73984bc88cf312ce9e7d86d23d0125bb644e9bb869ebc488ab1a0984e555adb4f89b969522ed5cd6354526dfbb52a984ee489 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
| MD5 | fcb45568227d2b7104201b67112e285f |
| SHA1 | 85bf464c8b31001b05713d7399c8ba8f287604df |
| SHA256 | 1a3d59d4bb172c471a05c2c4c0cb2fcbd54fa168f8794da3b87ec67c8d46ed85 |
| SHA512 | b123bc923d0b76abe71a7be47bfc982cb5cd3095bcff9657eaa8111fa701bb25944bd49ce87106885884383cbc3cc11b51301040514ce8c2749c9f6dfdd19ea6 |
C:\Users\Admin\AppData\Local\Temp\usEK.exe
| MD5 | 4197f8dd05003c860e083466d7a76c67 |
| SHA1 | d436f108d33443ef6faaae558d6fa79625630326 |
| SHA256 | 2c75433da1641206ddfb7754d53bd3897973f762b47359329221f3832a28ce56 |
| SHA512 | cd8bca4ef8842f2a295c65cc79cb84220acc2743d760f39f6d1b468535c2dcc204cc28d1a753f1ff2f5735f860c95527abbbe7806bbc3e05c77b5771ab000eb2 |
C:\Users\Admin\AppData\Local\Temp\oUQy.exe
| MD5 | 0840dcd8078fac5db04bdc4655666101 |
| SHA1 | 49950963126c25dfa31cfdb2e2b30405c1642ab2 |
| SHA256 | 4712c8f960afde5fcbc6702d75d5c493a705025d2e5b7725973374ee734ebb66 |
| SHA512 | 06810f4d18e8d83338ad56c5943c8a74dc9ace6cd918e67002a7839e0ef029ccaa2cc172f999d5c99a219d2283bd0a978576329a24a77f8974950c762419e4a4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
| MD5 | fef84f23504e3fe8ffab34ffafa22c02 |
| SHA1 | 9888f194aa4e97514c1e3be73e4ebc1796e432c1 |
| SHA256 | 651206af5c38af0124d487372f65a23bc0485f3c446bd1e0e24ff5fc85dd5664 |
| SHA512 | 0ebc5dd42989ff5b507d62068f438883eebc67569c612a5f93adbf65febe702769a31f62a93fcba00104afb287642a43dab7e79950e63f98ae0df9fcde049a53 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
| MD5 | 593032c8367ec3c7a147d4397512eab8 |
| SHA1 | 1c8a0c31c96761e68c1df2ea301d303f4f552700 |
| SHA256 | 84b046806309934ab5962aaacf7d5f1c068affb35c176acc04c9626d1f1c7d39 |
| SHA512 | 3df05689c0927e278992451ecdad13646973d73b2222573e1517aa6ee49830aeb4511035fc1213b7ed02fea7cbc0ef4d44f1a3883b62be65bb8d3b0be0ed706e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
| MD5 | 2660bb9295814e97dacc3543ea03ce72 |
| SHA1 | f5b6775d76d522f85c7cfaf7eae88a372c6090f4 |
| SHA256 | b93551a885b311438265b22d9022251c96e6b33d8c4d539bfa1b30dee59dd81d |
| SHA512 | 4b788785079a4ffd3e6ecab08a0677de384213b74651c6327a7b31f430d77683271699b6bdea2af87ac955dbb9535226bd52b4015dd3240a1b266f03a08e0d2b |
C:\Users\Admin\AppData\Local\Temp\YcsK.exe
| MD5 | bdbffa46352bedf553c6aae9ca3631e0 |
| SHA1 | 4b0d70679d388f96813d70abd0b6053aad8e491f |
| SHA256 | e32dc4ed36deddeadb8a22dc61e64e84f3f311265846cd67cb31f4d7b5aa53e6 |
| SHA512 | 07259e852add608c3fd4544306d179dcce1a62f7efb1da1711f16e7aa53a2148a67f69f96c0da6c1d44f6e48ac3f8c41afb56e30aadfdd40060a5428360fcc11 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe
| MD5 | 3673146555baaeea74b65d967e829162 |
| SHA1 | 711827764f6598d2318322279c04400c814745db |
| SHA256 | ab0ca322ad3504eda62c2b1eabb81490f5bfeb6a6ffd9d948dd0932e177fc49a |
| SHA512 | 0c99720035e5387fe5cb97b718107e3f6a034eb24c4d231344e163c039e2ba5e2265cdc60f65f20eb7054ba88df94406e3e127dd558e7b2e307025e9d39ad6ab |
C:\Users\Admin\AppData\Local\Temp\wcgg.exe
| MD5 | 91fee87a31068655d02a4b57b12906b6 |
| SHA1 | 98df40975b90bfdf69e0dfa1da57c552c710d6b8 |
| SHA256 | cd3f3843090e89efa126ba50b6a5e800b298f4a2e5b1e2e7d40acfa5e1b72a74 |
| SHA512 | 90831ceb3d3b18e163389817dbc478e074cf99c79cbd0fc9cfaa50909496502d525e94d5e192b374590a321492b33e08157f72872e781fa5a02ec3bdde55d539 |
C:\Users\Admin\AppData\Local\Temp\QMIy.exe
| MD5 | 8f64cb0deedf3a37a5eaf80bd2b95100 |
| SHA1 | 7876b79653404dc323bf4e68ffebaa59cad99641 |
| SHA256 | dea9c65558e364fe0c97ba7a091972c31ac48e7a9e9756f5332d5e298b10a747 |
| SHA512 | b78ccb6664844709a403626d70ec4412e31915fb84a2c2de8b638b68e97866cbf83445f82ced2c678fb714e9a93cf6dc2b930a43553fbf9382ef29eefd78cbec |
C:\Users\Admin\AppData\Local\Temp\scEo.exe
| MD5 | 9aea4bb46bc96d5a6c274254fca823d3 |
| SHA1 | 257bd9d7f3ed3a77fc29c8a2061c6318eb225cef |
| SHA256 | 9fa3c5412a97beb8a72ddc4de1ddc5498fd120d18a72df02c72bbd6b46f39317 |
| SHA512 | 80dab3808bb172aa63e98fb7192ef3f20f0b835f045ed21a6e576cdf12e126db2f4e53b68dfb11f63c221244d4e9494b05feb31cc9352be44f68af4f0570b4f1 |
C:\Users\Admin\AppData\Local\Temp\AEEG.exe
| MD5 | 90e41da9612feba4805e99a87b2d167a |
| SHA1 | 541a366a44513773d158f0ad8814af5f9a545efb |
| SHA256 | 2cab9a3de9f38e8b8783bf13b2f9fa8647212bc779b40dd3fe86dcf1e2e3b207 |
| SHA512 | e92ffec003b0003b16545e1c817a8939e36640ad9835320ff951e4bea16ac120373b37ecabd91239f58db05c68f114d51d7741ebc8796ada6f8d29fbd24cfc71 |
C:\Users\Admin\AppData\Local\Temp\wYEu.exe
| MD5 | 5ac53bdf6c373580ad7f2361832d1dcb |
| SHA1 | fa4a50b527aef9f23644e2cdc9875daf94cf61f2 |
| SHA256 | 81b52dcdb2fc04476a1b08ac63cb50e9e7811effe67174f9407ae731042c8fe2 |
| SHA512 | 43c4b992348a35aefd001fa7b8cbd9bd259064f727f7d5bc500620b434bf7e35d01271b800655a52aeab4fe209cdaa5e51444d59163632f201fd49b6ed5ba1a0 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe
| MD5 | 05a7f9c92a806e69928576fc9a4c6ffa |
| SHA1 | 7188702a7ddcdf51122fd7f2c2d58573d9715cbb |
| SHA256 | e949368c8918e4f91e2d281658d68512aa730f0a0e4198b2523617cdf2976eb2 |
| SHA512 | e6b8efcfef01c2503deb3db10ab9930e0f56cea532f27eeabe2e25754cf1a37edbc4d54ee2f3bfe726de3da4631f889224058346db4374a13faf3de4f6b28db4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe
| MD5 | 967631c1f6fd15e11e02961501eac389 |
| SHA1 | 57f57d1964939c56dd5d4a1147a331fa0b59dfa8 |
| SHA256 | 1f6f2c715973621f6f78b2c43210b2acbf99d28b6aba6cce7ee65108431a1733 |
| SHA512 | 3073796416adae5c9ba3ce859515a17c8476b89c29cc72baee94c07ae39ac038358659e3dc31db95cd99a40c9ada9f2eb69394eaf89522dbaa05483ea16b549f |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
| MD5 | d7363ea95e5aaf40d4925f142a34b81e |
| SHA1 | 78449d5f71f8e53d945271970a676790e98afd17 |
| SHA256 | 0383fabbc8567a8ab613fc2c7b4f0172047afc408a070c5d79ec464826915b59 |
| SHA512 | db83bd5e5be5f936e2b579db478ab8bea620e0bad97c9dd9f7a17ba72beb29a8b9f3f3c78db1fc96cb0d9d11ebb2250934eeb276186347caf6228ced42506f4c |
C:\Users\Admin\AppData\Local\Temp\iAQI.exe
| MD5 | cf267aa2ebebde677fc5c75d3a91a381 |
| SHA1 | 7acc41ab0e9293802a6d2d28a17c66ef45dad3b6 |
| SHA256 | bde43772878f0f1ebd69ef04efe4aa8d7706b5c51c17e92953355a42c5c7bdfb |
| SHA512 | 97405babb94f691a0869711879a0b95d69baf7bf7b5a3431bc28702ca47a89af92e32ec68764d28e7378734e51961823eed1021b2f323979f673a3245cd4be42 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe
| MD5 | 59b05ff8746393a97c02891150f8e19b |
| SHA1 | 80b83bc874f2b9b07c33b1dce9056cf3713d90ce |
| SHA256 | 59acabe9b7ed2fa5c3d9106e86d472aedde366ed4bc3520ea546b96ef491d02f |
| SHA512 | 617f7945bb705be31453f85777ea06f6678db60227de44de925a951e3f613b414ba2a0bebf664e7bd3d38d9f8141821c94f6825d4cedf851cf1e8951435a0029 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
| MD5 | ca464e4b509e36ff7d0d1932c046ef52 |
| SHA1 | 37a5a983dd5027e626ce6ceccf26a42200d11dd3 |
| SHA256 | da7f8a343229cf677247c338d545a18d8f74d7a2449933889d7dffd1addd636b |
| SHA512 | 28f4e8540bd17fca426afbad88fdabdae96d72de1f7e3bf61123c625e29df31bf80713d00a4f7d7b63f9dda83bb24cae910c6382d2f023f844479ab7317c1a88 |
C:\Users\Admin\AppData\Local\Temp\eAYG.exe
| MD5 | 850fb74cc1a6779939cfcca1d0e030cd |
| SHA1 | e17897cc90cc750b874a133b02637f5b17eedda7 |
| SHA256 | 889a9da88b2d9a5846ec85d1cca225683ca5fb05e76c4cd9356cd3e67894ecab |
| SHA512 | c17c8e49eaa95189bf88294f9d4557dff1c6d178bf636e6bc0879c894976fcfc78f82d59883bdf0c38eefc0c9c5a75514fb755612d41fb74f5085a50530bda0b |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe
| MD5 | 0391fabe6017df3b589d4ff207827b8a |
| SHA1 | c1626e35b55ee00f5d1e14362e5bdf45271b7d56 |
| SHA256 | 1340a45440865c1665fbcb382c6655c0dd5bcedca530e55156c5dccd4d868998 |
| SHA512 | 33309a9ac6ee964346565148d776ba90615f085de6b249396829b304e3274b1e483a56296e7c84a2bcac7a38e51cfa17b16aa223ad3f829d97862eccacf3834c |
C:\Users\Admin\AppData\Local\Temp\MYEI.exe
| MD5 | 53eef7658abffa1fe73c2a5088fd32ce |
| SHA1 | 2529c5d16df2d092920b02f2e4a9d74ed2e8c89b |
| SHA256 | 25e8d3d02cba23bb96c7b69d8bf7b529d7dc9d263076c1a32506d4914d95d8df |
| SHA512 | e026e02d713ed1a2c52d95ccf9c5b5ff766c1540de137a70bff260ad0f583092945e1d683a7cb1bc6b4e46e49a96eff54e252f8ec61e59f36c9825c77345e60d |
C:\Users\Admin\AppData\Local\Temp\CQsg.exe
| MD5 | 60fb96826fff1d466f294a0362627fbf |
| SHA1 | dc134e0f7877e46450d35480fd0f5524b8993fcb |
| SHA256 | 7101ca46487d51ff0217b1dbe96b19f447e1f69aadb4241c2994a666d691a24f |
| SHA512 | bd64f57ff675b1bedbb1bd2a0b50e7129b0dde417262716e6799281f6ab80f97819e6bf955945e7d586e6d03e5fe964aac155ef755ee152d9cb05799c907a327 |
C:\Users\Admin\AppData\Local\Temp\wIIC.exe
| MD5 | bf1e7e3383758ac3ee02e6feaac0c132 |
| SHA1 | bdf5a5e7ea98d8ec4cb98231220453184a0610a6 |
| SHA256 | 43812821699bc3eecc2fa0b6992a3ae77a6fd5a1cb9606f423d9d680d0bd7130 |
| SHA512 | 1033924b12f3639711e211fb4484d59a6dff859d9b3eeeb0fede6b0ff24a83e4432b5e057d21c561ed483a1f9fe08d7d90fa976d489c700a826eb19566cfce7a |
C:\Users\Admin\AppData\Local\Temp\yMog.exe
| MD5 | e1fc7b2f5f7f138d6480cc3acd2b0c7f |
| SHA1 | 85a52404f55a97b4a2354901c94b7b211fd14abf |
| SHA256 | bcdb37689421c31f85f7e7b02212de383eb1abaf1a74cd8b058bf5eaec2fe7ae |
| SHA512 | 1a98daf6c1c50ea9d59ff06929eae01c8cd274d6e419427364e7846380c7a3f6ca6962753840521cce1d8a08b783ebd35af61df1613fd1b9b3736d13ec32c75b |
C:\Users\Admin\AppData\Local\Temp\gkQa.exe
| MD5 | 449ddaa70938322ac9e6defb5eebea4e |
| SHA1 | 7e70890d173dbcbb5c0b08bc991f3de20b48e0bb |
| SHA256 | a0612ea892ef322cd58aa9601a240c61e09780d6cd89e9ce9651af002d481d35 |
| SHA512 | 5bcfe76f6badcb7354bfd81689354997ee3fb4d0659e363359d41b04dd6a319bf9a4e12100ae0a2281c83d883a46da75755a31dec645fdb2f819df788c8ac567 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe
| MD5 | f3a2c45d061c1d0354f0216452618fa4 |
| SHA1 | 9e3a5f191682ea4b7e8316ef95a5a44eed9ff6c9 |
| SHA256 | 7f53d394f8f1ad297752896e0ea0e39fbf397c3c4f87040f0b6f3f63438e8440 |
| SHA512 | 09b88c3286acf81eeedc9d57fb9e846113788cfade8ca68178f96fb04d8e7e6b99fc7f97ef3d22f34ab6ce8e7f58a897b5b562484ec476f50ea71896ed112a36 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe
| MD5 | f5c72980c7acd0fef75b3be6877dfcef |
| SHA1 | 107eb00bd21ad40fda4dc154b04eb478eb994c8f |
| SHA256 | b55e2961648d799411388dbd090092592430d8a52c1d43e82ea37a26d8ea0a84 |
| SHA512 | 3f23587cf4cf5ff5f1788da7d15fa7df24250c53907dc28c9d62c72fde0afa3eca6deab96a5877e368a9baca8139888746df952ccf64fc9700ae53576f888298 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
| MD5 | 9784eed61a6c719c017876e25aea8b9e |
| SHA1 | f9737da66a41ecf2ae8db9274b0783aa1bde6ae6 |
| SHA256 | 0218ab4160453e07558669e5234d07e5d0b0558af920a137d273a1bb6d557614 |
| SHA512 | ff386086bc692c6bd202956cfabfc922c217e3b1dd2e4225d52b382e8a4fa63d24032e89c670479a26cece7099d7e184b0fbb8ed95895ef3c7d96ec2c0c925c8 |
C:\Users\Admin\AppData\Local\Temp\MAIq.exe
| MD5 | d9c93e716611fe86feadb61bfda2d27c |
| SHA1 | dfb2251b8b25e41249cbdfd3a105bee74a1b09ea |
| SHA256 | 1451228dcb561aa3276b0e79725b345a7961871a8880a12ca724fcd3059603a5 |
| SHA512 | 8ff6aacaea4c861861a90166fb48d94eef58271eff6e67d961197b90cb6e6b770fd238a866f2527c3bf016b3472eb453108835684b95e6f6e945bd9f7430c311 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe
| MD5 | 31ee5359a7829869b4c19fcecafb6022 |
| SHA1 | 70cb2643028a7ffd4b82e39f8b98c153bc622fee |
| SHA256 | 23108d7713cc0d6466c1eeff558891033dd7fc7e1457edac3b164d86fb824376 |
| SHA512 | 5ee383b064e6ad8ae476da76e5795f5305809c1edb445e5ec10c593142b21680239f8b147495ba18c12a940fc581d2ee0cdb6e8843719784cb9ea07f30b0ff2c |
C:\Users\Admin\AppData\Local\Temp\oUUE.exe
| MD5 | 59e173744543bee5cb53d815b9dc269f |
| SHA1 | a6f09f7a6d7fbaed940e24433c7582db5dd84908 |
| SHA256 | 6e65c31eba6321642a106eef7cfefc71f556fd2237df4c5f0f32f5efd088ed59 |
| SHA512 | 3f0ff21843de512c1ff6fcadc7b3b1dee5334f592beed4c84077726a5018beb0c3fd4ea551839004e33572f090ab3d1fc3e4ef1539f7542d6b547a577b58d72e |
C:\Users\Admin\AppData\Local\Temp\EQYs.exe
| MD5 | e1d0ec870cb3dd31512a20cdb272f99b |
| SHA1 | ee66bc87c0331e522dc90c4140360f96b0bef49b |
| SHA256 | 85382a21d98766aed83c64f081e7d282e640e9279801664193c304f73af3764e |
| SHA512 | 760ca6f986bf5cd054c58f17ef1684c64f75b66cb5cd2425522cd8d784bb196eea0571f02229e599cb72993bcfa0918e20fdf511b423eb34138c24bff14d92e6 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
| MD5 | aee576e9182fcc0f0adf9cc3d58d6f0a |
| SHA1 | 0e2b7b1e2ecde349b4c1addfd29d10a8c0d54b77 |
| SHA256 | bf463c71bdb4e5e99b89795ee94bf30e98c4699dbd0648f6a908658ddeaa35a4 |
| SHA512 | c2dfc9853b3f0aad0467a610aac4a396ebc75e7cc0fb79997ab381a363f892815e296aad3dc87bff329110697c53070d2841916a89c006583e2f70d558ffe8db |
C:\Users\Admin\AppData\Local\Temp\uQkK.exe
| MD5 | b6bfa1f6931347c38b48f056df808ed6 |
| SHA1 | b01d2906cecf378211a29a5482293fdf6612d907 |
| SHA256 | 42b36819397a12a1559bee0f392216da228d0e90e79eae4d43d94274f8f0ab90 |
| SHA512 | 16e34cde72fb66ec5aa42f05e206b3bf4ce84369546be5f418ffee4f3acb736c36b2ba1ed934a9ac2b11b0134b607f5003144b7433bf4d8cd88616381dca63c3 |
C:\Users\Admin\AppData\Local\Temp\gwkG.exe
| MD5 | 28d88b6cf8c5e579cf84ae8e30c0af6f |
| SHA1 | 5e58e6f0138abbdf88a32ffe639ad8a809248344 |
| SHA256 | 8dc359e0c02ebde95233f14f7bd1ec2cb12ddf931698bb9a058e06f1abacb540 |
| SHA512 | de690d83b1a9c109a0807de0fd9ad962ff4b1c911c6668e9ff2bfdf77d7ce1c969bcc5781c8d7caaef0d8cb2427b90a241f3c34dd7dcde4ab94dfe7c136cf084 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe
| MD5 | 69336dfa5b42e076d46f6310aaf37f71 |
| SHA1 | 76de6a38dff61635f2cb288ed5dfb6f0e7c3e944 |
| SHA256 | 74695aed70dd1103702b65e88b18ea5974b591e6600804cc39b45f049bf161e0 |
| SHA512 | 2dc0f91dbaff412e7bb27d70aaa1fe1ff0a7990389337ae11448dcd0a25f592a9add1d354a9b565e0ef768b31e861af60d29d4e3cf00ed6da24e8970292cbb19 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe
| MD5 | d7f8a2aea43e6ccae6a21c679c44b740 |
| SHA1 | 696c97dc838ae22b4b05fa0ca3bc29410f948e35 |
| SHA256 | b3d05791ca61a00fa652b9f3a943ad8acd5c87cdbf5014546d86dfe99be1dd33 |
| SHA512 | c08b7d67483e40063dbc85acddb18957a2a6b6845e9e63b42d0ce6a0672ddcb1b4541e0330f35c5a08d341fe431f85ad1b0ac23a2ae6bc9de1d6e2459c2b41b2 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
| MD5 | b5abdbe36eb57d50f1e595ae73b69988 |
| SHA1 | bb4e92ac88281e30dfc96b53c207b5f663d79702 |
| SHA256 | 8e3b60fa1a5374e7997e2bba7ada919e1baa2c255969381fd6cb2c7dc24fd758 |
| SHA512 | a086b68c76945a967d46ee44f357d125b5668fbc194d4acbabe6f8a005350bc5556933a1209809cfb8f0a17f1f9668988f80ff1f28f37d1a8183ca1a4406bc5f |
C:\Users\Admin\AppData\Local\Temp\QQkK.exe
| MD5 | 21513978dba0b0c86a116baae64384c0 |
| SHA1 | cac9ace4ac38f26c2e4a8bbae49c97f2dfb2f8e8 |
| SHA256 | 05cab3c289dd11b50e4319b548df5d204421d8c0e4f5d8316b65855cb87c45fd |
| SHA512 | b073860dbbffdf982b38ade7387d1a2bcff4d962144c279ec17c0e5eb44dc15a453cf74cafe05d9dd8df9456eb653993eb08c03c513a6fb05e3681e76e20e9d5 |
C:\Users\Admin\AppData\Local\Temp\qwEO.exe
| MD5 | 07a89fd3c73a10f4e558e5d5b4790554 |
| SHA1 | ca74f99abb7a217546deb73313516d96ccd663df |
| SHA256 | 9704b799beaa07d15803c156d24d7b20cdee466fb58e3bf265a6568a23bd91d2 |
| SHA512 | 69af2994e6ee681ceb7a75daf5b99213874bbae5fa2a94be6b00f133f9e202bf74818ee2bd2f6d2d4c64de1d1600e69da122dbe334af6000f5404d942fbdc9b9 |
C:\Users\Admin\AppData\Local\Temp\KoMm.exe
| MD5 | 82c09fa7db66a90a20a5701bb049fd9f |
| SHA1 | 47c529abc370a2fd617dcfd75ccb9c7ae0a4cd89 |
| SHA256 | 5f0588addc736a1161ab050d4ae3a4318d51ca2b5a25b6af14e9419d6e6e2290 |
| SHA512 | 35700c97277dd7d553b4741640300ef3b9af4a41c0557a82454cb466f149e02e6d8d2c74f983cefa37391236a6d637ec2dd3aa24d5ab06b8249176ca099eb427 |
C:\Users\Admin\AppData\Local\Temp\UgME.exe
| MD5 | 702c9c1eb31ce9905796fff199d91039 |
| SHA1 | b3156bec3b3eeb7a608c7cd8cee0788f858ec6f3 |
| SHA256 | 021ca5f0e09eee0746c15c6d765fa0051902dd3faa7332fb1ca40bdd05978731 |
| SHA512 | 0ed51b9276b0c911d6a205fa820deb06a96b7a55ec3a5dbf634e5744d4fb00e55430ed6eec75fe059fa5f08e7bb9720f5834515d42b65a0eeccaa72fb533f3e6 |
C:\Users\Admin\AppData\Local\Temp\mwkG.exe
| MD5 | feff665167901eb7651b6701c75b6dea |
| SHA1 | 4456adb7c3e9b813853cd139515845b36c755617 |
| SHA256 | 7c2d33813435f3be127104cd94f9e2a8ee9b9956ed67616a4aa1bf3a5750a269 |
| SHA512 | d3ef38a892f551b18e916c59159472d8b2fdf405bc2eeeb327121847b600f0ef6d2e51f600379dee83d26c44abbe1b815ed75af8e78a49a2923e155493c60b86 |
C:\Users\Admin\AppData\Local\Temp\uAwq.exe
| MD5 | 33771e29176038d787a534fef79091e8 |
| SHA1 | f09931d22b95c97ddb8febf838eecb58a237ae48 |
| SHA256 | 8cd50a0d040bf5a7b8b27eccd0b8dcb5cb7dadf63e58dcc394b349442e28e21b |
| SHA512 | c120e4160f24d84173ba2a243e985725fde0b61271947114842ae69bf03eaa96f9abd6e57e3f2e7cb303226ac218a62e4d90990a8c1133cb138dd20cbae5dc0a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe
| MD5 | 70937c55bbec65199148f297c1bbb8d4 |
| SHA1 | 21d52357808e941c0093e2e49740eaf0fceab281 |
| SHA256 | b030709111e3479df2aab1ecdb0ac96e02873386649bb89def7c87b312ab96a7 |
| SHA512 | 4d0f969eee115a4acc038bf48f2d37628c03e655908bfeb3c699ccda1276970983513610ea0b8c450c9bff864dd8288f42a228ab9f31700d65a23f28fe2bcd87 |
C:\Users\Admin\AppData\Local\Temp\aoAK.exe
| MD5 | 630677f3cb7eaa56c40e4fa53fb17136 |
| SHA1 | a214530d7957ab50d89ca03a32f8328682db8e0e |
| SHA256 | 327e3d9903c40fca7f060149f3b0493ca57948c532ad7a86278fe565d8bc1419 |
| SHA512 | 89740da428610fc666f43ddff9de07a2f426c35e1affbe9a9a90625d18e1b66ecd7bf1dbdb4fc7e1852c61f10083357e43357f8b088bca59079e46bb27cb6d4f |
C:\Users\Admin\AppData\Local\Temp\qgYY.exe
| MD5 | 062cba23f30454ee51efc2ba26071442 |
| SHA1 | cf3067ccae9a0202bb6444487e489d5b15e44021 |
| SHA256 | 8db93cbc3dd0a33a9d5392bc00563e0c0aefb2b854fb00860dc45fe603f96a26 |
| SHA512 | 7b54daf69c55937bc5a8fd95af915309290829e9edec7bc1ffbde7cf4010ed320ea430e2d961cad1bf9a8962320fecf4f3b515706efc75203f9ad4cbb56fe44c |
C:\Users\Admin\AppData\Local\Temp\Mcwe.exe
| MD5 | 23e70b55bf48e41bba32bc822fd9b5f1 |
| SHA1 | 31b88f0c68ce7925e14f01f37450fe81896bac2a |
| SHA256 | 90f33af67160eae8733c0f29cf02b8566d5e99da628fcb2eb775ea5c6303268f |
| SHA512 | ed4a84fb954d0248cbb9cf0aa183c2f94a6ec3ffa5e619f0ddf6f13726ea423cb29642e8a4fb272c2672485ba9c50a19a1c95471af1aeebd56b9929595c8b7d2 |
C:\Users\Admin\AppData\Local\Temp\cMoG.exe
| MD5 | 8d93daffa229c19b640820ff28505b9f |
| SHA1 | 61535613100523e0adc3e9a610702ea6480e63e4 |
| SHA256 | e56190f27ee2189c9f7df828bc2d65ec7eb47e80a71b31f389a79b52d0c75b94 |
| SHA512 | bcedc223199177206e8ad59b49a8d788c037f3af0b7830065bda15ba86cefb268eebe891fe22fab47ea6bf584bdc4d644edbb89a396bd307e97d44c7b5217664 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe
| MD5 | b379c008d57b4821dd7b1deb4e3c635d |
| SHA1 | cdabcdbca1f25938f515ce7b021fbe4a4c0e7e43 |
| SHA256 | dfdccbde81fbb789bc005c541a86c4a4f6a4602c64ea4e6c231437ffc5f3c2c6 |
| SHA512 | e85669e08e2da724ee88225d4680c86d1c5b772629c448e650724b1906a331318fd28c6eaf07396e9dbbea1730b89907c29ba052613f40f3c9685be3904cd739 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
| MD5 | 5070e20ba4db536bd50b1789b2ac6400 |
| SHA1 | 6ec2bb83827f2915f114434cc176b30d07f1da19 |
| SHA256 | 16d3fe1c057776152a53f52e7f0581badc8e2d98505f0349317a73c14e7406d2 |
| SHA512 | b2ea5dceb13b0da60eb585faffff1e1c1de2013cf74789f3abcb42620bbde2840b3e7343a8dac00df805b2fe47535c1948a9486e51ddf63bf30eb4d891656963 |
C:\Users\Admin\AppData\Local\Temp\ywEa.exe
| MD5 | 5e13335ad83547474346723c2e57225f |
| SHA1 | 18e611b0466a9e9023ce30209a21eedd824f0163 |
| SHA256 | b7cc2f203ca10e3c73b313f62ae60672f4070f8f5cef4db70a9e4a5580c5e310 |
| SHA512 | e2feffa92a615e9f83b528be919d530db871c0c10ad5080c94bd3d8e1a3f30e707e16ab4baf20547d2f784bc217953314a0992cdfb49a0ae97eeab6e1a6f5754 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe
| MD5 | a223774708f1cc2430e4a000c37d07de |
| SHA1 | 9661f91f0e0dddd3f5663c648bfb88b75f78f290 |
| SHA256 | eeabb053ca0e9cfadf76606aacdef804d574b9306d9e7dfe1f96b9ea2ebefb5f |
| SHA512 | dd8e3dabb27bb9db5302111e32243acc8269d879e97d54c558d120f313d8f72b77f4c494d470bf1a02a325ce0c341714389cf2fedeaaa163ad28fc4d50e072c3 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe
| MD5 | 6ce7874d4741ee69a49648d04d82fde6 |
| SHA1 | d9a69c5f3af79fe162d659139a76149036dfbe49 |
| SHA256 | 873b0578c1024fd6a714efe0d5f2ae7e615ac13c73dd81d9aa681abecef0d76b |
| SHA512 | 69ca2c2a15cd1775ae1dfbe6bedaae04327d635323c4ef1bfc7209ae992f959b7b90ae791b9ae350dfdb11241c0cee9d82108b20fd8a537c1787beb38d2ec962 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe
| MD5 | cab4332d9eacf71cdea711d4f639f5d3 |
| SHA1 | 2e987b60cdc66ebd1a41598eacdbd661013fbf03 |
| SHA256 | 2132d270a48444f6446a8d5cb70a9046378c3e3d0f4b269eb5c836c2b66dc02f |
| SHA512 | 59ee2afcb6b1253dae085efd95d128298c4d1b0caa969edc673ae584d53d5043291e643cf5c6c39c554bd5130c4aeb8494cf1bfaca7ce1b06905260d59aa3aa0 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe
| MD5 | 4162c399611cd28afb5ae57cdd53e60e |
| SHA1 | 693efb9f7ed83140895b52e56e284d5a2bb207e3 |
| SHA256 | 7c4afcd62c90de9364dabf9c6b342e6eac2ac8152c708796c56b63314a5badbf |
| SHA512 | 57e64dcdd79e683c837723e190327ff4c8ae386b7b05258c2447783638c271a51e544d0d1b473717154c60283bcb8d859487355c438e68832f906cfd8bbc20e3 |
C:\Users\Admin\AppData\Local\Temp\yEsO.exe
| MD5 | e616cac348ea5dd9c24eaeba0a34d5f8 |
| SHA1 | d7981af4c2a0f9cfa4b909c2ebc9436395875e42 |
| SHA256 | c1c1854b369fae76f6bf6b69c9640d958c5dbe64f8fd6381427e2f268687dd13 |
| SHA512 | daf70c9470cfd43f295a4ade45849c383c12d97bad8cde12b4916fb2b7d5229496dcbcc16bfbf907b3a0533faa7daf3e3af4c864a483c75b374ff35a65aac9b3 |
C:\Users\Admin\AppData\Local\Temp\SYkE.exe
| MD5 | d3c93a7fda64aac56738e74d3b42ec96 |
| SHA1 | 14c2d9149c6debb5b1d05628be316f542a0c7595 |
| SHA256 | 8756d96ee1fb47a2ba9cb99eb8190530b7f54adb15c7bd2bc510c28e0f918672 |
| SHA512 | db589e2f2cabbce876a2622324500b3c04c8cd999d26cd8d505cd43e11032654481c97abb1079829a1749953c6f7d71405ab153e9b3602af0bf033a85c11f444 |
C:\Users\Admin\AppData\Roaming\LimitDeny.zip.exe
| MD5 | 548a2eeae5d11a47f8f8687576d7ec80 |
| SHA1 | d20024158c0e69e970ab64e6cfecdf196d4d10b7 |
| SHA256 | d00ecd9fc61dfd40470f03ffebcf3f3a5f507db2e428944d04b759805de5ecc4 |
| SHA512 | ef1b602244f2f684538d43f183a2fe6d873b0e0e556203e1567ca4415e2d6cdb3150074a2a1382149c2cbb2c41b940fdc8184dfe61d6413bc772485f32e95f23 |
C:\Users\Admin\AppData\Local\Temp\osoa.exe
| MD5 | fac6c81a827d9be3c06ae63542266f8c |
| SHA1 | a905fb985a01520116da03d724da7eefe24e7c5b |
| SHA256 | 9ac0decf9b801ef2085b81f6f07786fa367d60f813ed10d680c90a9cc9a9c040 |
| SHA512 | e54e9eee1e926a0159ec095db58439aa65bc1612de9aff694322622bfeb15afa0d31e6a9c88e94f8159f970c736d1165be21f1b125ecfa3eeacbbb732ab51c49 |
C:\Users\Admin\AppData\Local\Temp\qEII.exe
| MD5 | 86f71b6acaf6cd2754fc07352631c4fb |
| SHA1 | 89c38af7b82deac282e22e7bc048413684457dbc |
| SHA256 | e5d0761f1403c2113cf7ea1fc56b647d7a38aa1dd5b85ab69c2fa1a31db12a84 |
| SHA512 | 9e45fd7decede4633f37fbea1db5c718e0040fca38ec1cf4096a0e7681a5bac1bf186c72947d55071035bd57227914f4bc396e81cd8199c6c01a21123e3a7234 |
C:\Users\Admin\AppData\Local\Temp\GgUo.exe
| MD5 | 8be7f6651c533a36571d833977ca84c2 |
| SHA1 | cd2bcd0f21860f696d0c099132ecf937eb7ad877 |
| SHA256 | d19aa506e8fa35efabe87322af9099fc3b1ab68e765790beb83b974023af9b98 |
| SHA512 | 3f3851ac350f4c329acad86a0db089995ae0315a6ca33659a341c89adb4d6114d9390b0cb7b2c3672b26ba7cfdb910553a74ae7f91c70ba9e8b4d69d3745c24a |
C:\Users\Admin\AppData\Local\Temp\usEW.exe
| MD5 | efc9c1c7237171e7ffa0387541efc695 |
| SHA1 | 60b41acf238ccefdc97e99d1c2884a0b145d8a5e |
| SHA256 | 1710d7f7020e0734afb3ed65c8365417e557f6b42d0802cf61326f5219d0571f |
| SHA512 | 1e178877bf4e0bd343a2aa2cfffa27b23358a42661103005edb0fd7ca39a60d7a54e7ac83df194c4698459a121f85208b8b7207572f0a7df98d941683b6af6a3 |
C:\Users\Admin\Downloads\ConnectBlock.xls.exe
| MD5 | 1ad35e9c978edb97f297e26b93ad65dd |
| SHA1 | be41971b6091da9d3960fc680b717fae06ecd999 |
| SHA256 | 8e90353be0e9d6e0fec161a5119eb10d56084059bd3b7dfba9b7667d4dc03fdb |
| SHA512 | a36bbde7a9b8db7dd1f5ce7e594497b0742198fe5caf4de7e117786c1a34821c271d179e159f2143db6d0d10891810ad56c9ed6de7d5f24ee4c444e187c7ee7d |
C:\Users\Admin\Downloads\GrantGroup.mpg.exe
| MD5 | 185276164f30a49709582430eeae0e75 |
| SHA1 | 0942b55d9d43467c72a605f1f598be91faf1ecdc |
| SHA256 | d7c5e16fe14a6c94d137e2298140bdf7acc2855892d1dd14d3a6090ab4f318f3 |
| SHA512 | 4a1541ea96b49d218a89867c6b5ab86581709fb3a349f8272e1a47a53eacdc769777f5d6211814bd0cb4471eaf02ebbc72f09136175b5009fe838e399a9db86b |
C:\Users\Admin\Downloads\UnblockRequest.jpg.exe
| MD5 | 6da70d500584fee8267bd3a6508b706a |
| SHA1 | b0b4f5c366031596feb408d5a9cb7dba470f1dee |
| SHA256 | 02c7c6819a043cd1cb93a9dec203215939435a513851a8f5db459e087ced0a63 |
| SHA512 | 276cbcb88868b180378a87524bafa28e89f29c4ed2aebb11c520ae7fa31fbdfbbc7ecd5e94e21c8a9daf586d137de06b3a8b343293e5d83f7e15c3dc96245e24 |
C:\Users\Admin\AppData\Local\Temp\KUUe.exe
| MD5 | 46bf5084ead3fc63e4b19c49d7abcf74 |
| SHA1 | 069f1e12e9596958f85f69ae85a7dca35bda94d2 |
| SHA256 | f6c9b127310fd58ceb31441f8a4c862f51fd2dd3bcca4f9600a3bbfc70a85dfa |
| SHA512 | 8028836834a6465b7ab892466cd719d04b4c79487a894eb8c625d22ea955716ace8e43bbcd0a7dbf7fcdf146077c9713fb0441b4ca725fecd61d23126530acc5 |
C:\Users\Admin\AppData\Local\Temp\YcIm.exe
| MD5 | d0e79822a7a5b7df92bbacafd3752762 |
| SHA1 | f49c8b0108a286cc27dfd2d831ca2fa04d53ee34 |
| SHA256 | 3004905876523b382016d89be33e5c0dfc5f0d899a773cc259e9e5fae206276e |
| SHA512 | f7443bc8729f5270c2af18f7d046463fea79a038c069aaec31b5da21d187cc3f99287fdd7eb6dbeeed63a50c6ffb973fcbe92dd383283485db684cb5dd25767e |
C:\Users\Admin\AppData\Local\Temp\EkYY.exe
| MD5 | 11cb94e49dc5a0d4f6bb5daf95e45d16 |
| SHA1 | bc1f8e5e7574c77c154dc090df97640f362bfe5a |
| SHA256 | d30ae32f63efb7f73483d0426836fa9dff223963ebe416c73e48627a29e52f68 |
| SHA512 | 80dc267ee6f8ec01f197707deaf7c64ee60cce3a51677f782f8b29ba3e3b1b4a0618162f2228c56e8a1dba441d166da3050d19a6b9060163f04062f052f08016 |
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
| MD5 | 08b4b0ca0e26482577caeb5779100d10 |
| SHA1 | 61dc8eef5fde100c9e56c176392c2d6759e7d789 |
| SHA256 | 2e7d460e3e7e4b51995f2035a44e58c869ffd40393c14e8621adc9bbcea0a776 |
| SHA512 | 9169b42ec592def74a08416429b9c4832464f8f3a7b9a3865035e903f69e3c5691bffcef74e0c85338dcea0f0f9916142fac9ecc9ad983c5da77581773862984 |
C:\Users\Admin\AppData\Local\Temp\OcQK.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\sQoG.exe
| MD5 | a7a86feba30712464b71230ebe9839f2 |
| SHA1 | 8dbcd342fa467e6324b6e1bc5d9875c785b14324 |
| SHA256 | 6e06d1e83d00fe487694b2b467e6f284a625f640f975bd73d0101357d175efa7 |
| SHA512 | 67ccd9fbaa7d5a9eeefb938cdd4b3ae98df8494a69f4a742a5677426fb8e84d6b9df0b9444bf67a5f41e15f9f970c209762446d9db90d4660705af828a2676a0 |
C:\Users\Admin\AppData\Local\Temp\KQsu.exe
| MD5 | 04e7e0c18bff94069080d85ea7a6be71 |
| SHA1 | 64d8eeedc14e778d9c41fea6f60e17ed744a2ac8 |
| SHA256 | aba50d5ed639d5a36a0c8f817090f6503e82d23903748483be0b0ab15abd2504 |
| SHA512 | 1af08df743f7156c907e7637178e50b691c3dc601df33f8f512baeea3ef31fde2eb3fa46de7c37383cd93cbdb296e74b4f0b9c8093fd8959ff4de25fdc8572f4 |
C:\Users\Admin\AppData\Local\Temp\mAEm.exe
| MD5 | 16e39f2e923b9a472a405f7d617ca203 |
| SHA1 | 38f77bf58bc5f39545547ed747913498acb60737 |
| SHA256 | 968be72a14f57a97980b7ceabe841f338c88a34befa3f299c1547d2fe7fd8bc1 |
| SHA512 | 55b9921a8f743644162b5c11b5f0e01e13430a9581ef3cd49b918c3563d89d518c9ee2d95488720152d3927c3f87603be3629eeaa42b32d3b7a23a6a9e3633b3 |
C:\Users\Admin\AppData\Local\Temp\MIoU.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\Pictures\WaitConnect.jpg.exe
| MD5 | 3e464b843f493903923ffa0bd466ef0b |
| SHA1 | d46821e6505d30501a8268c3a726af6381ffd886 |
| SHA256 | e5cf7ca69c527cab89a0601008120f209cd06c63badac999ef223362888da08a |
| SHA512 | 411a452af0495a362631b5798a4ded7f4e01ee7fa111cc5bbbd579ff82503b5570b8f59014bbae7c80095dd5a0a6724a9e5d1f05ef82e3e53e0adf52d114cdd8 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
| MD5 | 4f17ff0778cbd445e64b20521c5dcc05 |
| SHA1 | 117269d7e28771edaf3f8dd1c46ebeb2e1c86111 |
| SHA256 | bf15b54ba8f03eabde06f8f6ba02c5cbc32dd8dc070c5122e17bc186924a830b |
| SHA512 | 59af32a3a372ab7acd82b879fbd24e8790ee28d05635944b4603eb6414ecc2f7067d34ec11ee5170f6f33bd43895d2264eeb58d77a58772524dca91f0c2f065e |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
| MD5 | 91f48e93ff81db58ea1b6ff6267a52d5 |
| SHA1 | f7110d2828cd79d6785d023c4d51ed94d81b9653 |
| SHA256 | c93170b2bc4157d0ee5fdc400cb99d68c05b7113eeb805e3da9ca870af747c9a |
| SHA512 | 0ca6c25d6f5519e8f3de881abb995173c01d27ecfca35e25e8e373198a60a5748275440faca921ce71fcc7e3ef35eda15fd564f29ab79dde2543150be12d679e |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | 386b49d4d1500cc7d1c2aed53ca96d54 |
| SHA1 | 06737215b553b3d18e04d31de6a8750b25fab906 |
| SHA256 | 75c6b0c182ad3ea166a91edbac467cc6b283c50682f569f609eb1984dfc97c88 |
| SHA512 | a81ac2037330c04851283d3569c33a8c904e71dee610c3dab777d155f34245a5bd439fb2f6b8116d2986a6472d3b2bd56c06b7c60f4f96cf79cbcb78021947fa |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | 8c674e7b1f44e81ed436a58a0c76b68f |
| SHA1 | 6ee6a9df9ed4a67776ac84846fc4ffe0bfeef735 |
| SHA256 | 28f80d1f62896c3eecf744ca07ca1a17b13df08e429f0d7745f5b5fad776d236 |
| SHA512 | cae2aed39aa2331964b5e89cdd11d929b3f3eac30a571449d1ee5255c2d5717c97267c9b2ca76cc4db77656a0b94668123c804f25dc09ef3a59106f429e128be |
C:\Users\Admin\AppData\Local\Temp\gYQW.exe
| MD5 | b23448df8c6dfa9b7280142efa4fd44e |
| SHA1 | 6eb24bdec9882ed8573ae1c9ad73d77d36a15c40 |
| SHA256 | 268c10311114a842610615c4e6480dc741cb04d6d4ddd6a4e87f1d1b9b3e4851 |
| SHA512 | 01e466b711dac3013c4ce53ca66a69488798fc63bbad9942e09072d9407428f5e3dc71eefac56303564ff5aa0118bb69616e91d7d62c56d61dc0123e62e817cf |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | 1b76d5bdbf0b633b5df3d923e06f01fd |
| SHA1 | 8ec4362e518d9f508dc4dce751ec4116be369807 |
| SHA256 | aa617f2d771725c3c1cae636a29e72529406c1df3cb65a27bbaaa5328a8fea20 |
| SHA512 | 6e46812ab9ebf1bcabac476e6ee4a3d019facaf636a1f61c0f64c3a86bfb5a09139115a456d77def5de29778354e5a89944fa103a88f2e10051168e1f191c28b |
memory/4824-1660-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3744-1661-0x0000000000400000-0x000000000041D000-memory.dmp