Analysis Overview
SHA256
3c17e906d9149bcf28712a3037e7dd455f7ac0fc159c2f61a2130303c80bb6f2
Threat Level: Known bad
The file 2024-11-04_0048ee167026646b746be0135974898b_virlock was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (85) files with added filename extension
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-04 02:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 02:47
Reported
2024-11-04 02:50
Platform
win7-20240903-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\WyAYcssw\dMIwYgQM.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\WyAYcssw\dMIwYgQM.exe | N/A |
| N/A | N/A | C:\ProgramData\WugsEkss\tIkIkcQk.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tIkIkcQk.exe = "C:\\ProgramData\\WugsEkss\\tIkIkcQk.exe" | C:\ProgramData\WugsEkss\tIkIkcQk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dMIwYgQM.exe = "C:\\Users\\Admin\\WyAYcssw\\dMIwYgQM.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tIkIkcQk.exe = "C:\\ProgramData\\WugsEkss\\tIkIkcQk.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dMIwYgQM.exe = "C:\\Users\\Admin\\WyAYcssw\\dMIwYgQM.exe" | C:\Users\Admin\WyAYcssw\dMIwYgQM.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\WyAYcssw\dMIwYgQM.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\WugsEkss\tIkIkcQk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\WyAYcssw\dMIwYgQM.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"
C:\Users\Admin\WyAYcssw\dMIwYgQM.exe
"C:\Users\Admin\WyAYcssw\dMIwYgQM.exe"
C:\ProgramData\WugsEkss\tIkIkcQk.exe
"C:\ProgramData\WugsEkss\tIkIkcQk.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xSMMsMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkkoAoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSMwswUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yoAUQsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WwwEIEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mssEQocs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iWUkMgYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcggMMkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ToUEssgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FcAQEwcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ROUAwEAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqoIccEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMcQwgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yokgIQsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqQkYEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PcoAEAAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgIsUYQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\REkAcoEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcUoMAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIsgwkwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUEUQMII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12518218161391460655-85984382649198901-278948205-17841816271350463942-1804390812"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10649611915970547531039333759-2090917945967881112481843782-490601090350255811"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAYEkQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\geooQoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CoMocIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\locwIoIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyIccQsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4343224125793115991753579965-193505188349374951678300994168921776433293345"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOssMMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iwgocYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KuYcoskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "758904517-847096835-1533550894-1661150532192741209520830164071743986104-327410566"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmswgYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wokAEoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-66416727150973765511851458582142864324-597587190-18667501368522586891448153558"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bEssMQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "172273851495189270-573148569-15099915071904105597-984421825-7719485681490676618"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQwAMYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hQsYUAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1909967354-8119350461945352560-1667795300-69523957620142635556271239351152909273"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZecoEAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KKYYAgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1877304133662850475514259428-356845298-1697582398-1015421311470397811-1162138323"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EUMUsYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QMMokwUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1927006613-435721624-674169804-176979931984237432752565654-1916972714-57994192"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-374006034-834159066-1816625840-1689501264309669323282051905-487225849-152592202"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5994623648739343611450878233-83935713314218559515319512631862742620-291052617"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kqEwAkwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgkwMUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "794721441964201579195973261157844762112807915-46114228118713767481866221082"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOMsYksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1731026283-1321231442179767238953958001752840282-19006387741752025827-766119340"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1426671853302447857-3743683621928405101-1111462763-212187045513658347171744783653"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rGksgEww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jakYcIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gSMQgkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WaUMMwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11115145642134214763-742205168-2001530114-12771934861513544383268219282-1361547163"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUsgQkEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KyMcQoks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1808997201168459752321095790481913673924-2797078871245303991-561455734-1287856725"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIIQEkoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xEAoEQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AuEwMssI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1892987260-1942200621531329214-2139997756-125751248403548772906577220-1602006810"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AqoEAAYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYocwsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-315378248149835021766155608-1929704828-1775337729-202571022214582235011732670091"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-247484656-209927603115033419481428301227-767160699-1401054130146636495-698142472"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\soQQMIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lckMssIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1502300778463750224123388972021224242732038619234-41863369619584779211428031585"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ByQgosgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1253990066776462411-1910555873-20913070841032279834-228571075-22840965-1275974317"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMMQUAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmogkMMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19785499181569462284-1791121078-745768160-11034149681745162130-102946889401104555"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1707824461386951291344095835824270908-1357707721085102050416823280791627876"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIoYEcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6195060053165974631155841744-1016919476881404006-1675285271701219720250230939"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\umMQAMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EeEgYMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAsgMAEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1686020129-1850368399198315608519867326591993106342-858760243-1639578772-2086066225"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5242705618214757911816264110187279220923967271116173979431571365971085747516"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1274777975-793807226-1300017968-117505087-145669432286892538413209688721745256880"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOEYYMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13928103851001683711-133230985-1460255767-1885356545-610882762-1333443405-1544707898"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqosYMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2026454724160118150219447328571713068331162403509985182633-89778491575233753"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-103793250-1029662274-1819301594-1442158085135738684510499383208895667311087648722"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-86013103617206624621705428214-1056635791-60577819326196542-1870162730-1184411147"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1347308781202137428857634752779183461188579436407300461-1559658911915233251"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-566196527-285513514761181442-1814396609-1806144745945018009-1535369231-1724518878"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQYgcEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSkEEIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "614839180-1755893728-837083397-412549529-1155013745-1727357301-417134271-1699495544"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1416481714-1915837351751338094-1342151057-1574294193762365190-651076174-1583187288"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qeMUkMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1527697940-13135311683604303821942703349-460942581205043496031533698414058418"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yOQgIAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2020137730-98728934-498783299-46914720-17163002021044331342483781586-1844417021"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12211227411485691219-302379124-19381425211711313871-751861069-1264503131-1520139520"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1898883273-848674021-17638645291588182393-2023368915-141643956218780144042040005568"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12487360197871669-1517029550-1570601884-1690254591-537469713-2104184784-3264363"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19196095501469885931-1090388800-377445558-2039612000-1466095176505804041-388605535"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wiIcUUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-442215330-793046974-994573400586054912-13254308577288764781248224683532358142"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2005261807-588989253872329488-8007333421647882036139990298920199641691313278691"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14813707831204082027-6865981911738108706-799212336-426017515-13290942091850831830"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCEAAYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10484362132139556195-9252496901350612266-10972765021038030356-547761800-2123961432"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1546995415244320675360622-1417090138-415838353-1507287310-1335664819-1558337754"
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 142.250.200.14:80 | google.com | tcp |
| GB | 142.250.200.14:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2372-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\WyAYcssw\dMIwYgQM.exe
| MD5 | 6e3870341323472b0ffc81f9eead5979 |
| SHA1 | 64c3b1124cf5527a80ea5b4655ff916e06c741b1 |
| SHA256 | 4ad97bfa7ade17eae5aa587dd1b30258c56c50ad49c9529cea19b8b7c4c093fb |
| SHA512 | b8697852efebbea74a9ae67706b2047ab71bd83e569a169690dce33654b7fb4a2c520bf994df7785c204a78ea8ca4d8c058d020281d90d6229a12a1619eac5e3 |
memory/2372-4-0x00000000003D0000-0x00000000003ED000-memory.dmp
\ProgramData\WugsEkss\tIkIkcQk.exe
| MD5 | e5f7df2986a13d9ea1d24621e1ebd2d9 |
| SHA1 | 2623dc1f503c1d48ebf68e5d7f37cbcd03daea9e |
| SHA256 | 647685ecfabcb248054c2d633eb97f4a40241b96ac868a662b9a6ed2bcc49d2a |
| SHA512 | 58776b1ebeaae03109d154fd69ffb45bcd86fe1cda75799740bf067d6d25967bb532524e2c909648c87aacb7296d8c219042667989a8e63e3bd03b3c1ea5d4e5 |
memory/2372-15-0x00000000003D0000-0x00000000003ED000-memory.dmp
memory/2268-29-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zEQosEcI.bat
| MD5 | d863c7221342d691eb0cb9a38d594848 |
| SHA1 | 1148027f7b7be04bbc18dee3031c6aede2f344e3 |
| SHA256 | 0f3994c9756f1bc9eff4979e34edc5ec60fcd380e205ac2a12799e90773ec948 |
| SHA512 | 688997e802419810f117d5503b6bcc579be6d21f8c30f7b17539706ac3c384be301a750b7db08e245b37ab7da4a427cd1698cd7b6f89d487e9a603526b488567 |
memory/2736-32-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1444-31-0x0000000000160000-0x000000000018A000-memory.dmp
memory/1444-30-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2372-41-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xSMMsMEo.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
| MD5 | d342c2b5f3d16dc992db22cb737ad617 |
| SHA1 | 615a98744fb22809454b706174597a4d6b6d128b |
| SHA256 | 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486 |
| SHA512 | 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7 |
C:\Users\Admin\AppData\Local\Temp\NMIMEIEI.bat
| MD5 | b7015b249913d6dfff62cdd700f41030 |
| SHA1 | 8e1e3a4f6b992f6e2be272dff6844ec2328645e9 |
| SHA256 | ffd4989fa0fa61fe6820fa707d1a5c680bb6ba3c985b84a077d89b65d71e7abf |
| SHA512 | 33927d5acbf516f4478b08be7a3b9c8ccef7c096948e8950893ad329f1f30471f0091a0d6a84ca749945e1548e8dc58d5ebbf5efeab5f1bcdf7949fcaca37122 |
memory/3044-63-0x0000000000440000-0x000000000046A000-memory.dmp
memory/2736-64-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3044-55-0x0000000000440000-0x000000000046A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vIMQwYoI.bat
| MD5 | e2b5272588c72d2b796725bd86b4a7e0 |
| SHA1 | d79df26e33b8b5c313b1a77768f225fe3fe37bb4 |
| SHA256 | 74367c2c78452c234c0f23ab88f6bf3f3defda6c710e63ab2a7c5108e21f4f5b |
| SHA512 | 9e3eaf45590db3416271bcc6c30f9f7978220c30e2d74eff8d84441eee970fd7fd5eeeb572f091658521e0509208f43c4624c96d10ab7c36ef79cc2938731cb9 |
memory/1300-78-0x0000000000120000-0x000000000014A000-memory.dmp
memory/1300-77-0x0000000000120000-0x000000000014A000-memory.dmp
memory/2004-79-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3052-88-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SooAcAIc.bat
| MD5 | a6ae421298a7f94037d80b635801e5aa |
| SHA1 | d142023cc285b2a09d48541ee662b2f8737431b2 |
| SHA256 | 611f8407d9f7a367c44f00a6bf0190d2938e8e541e721c00669e48effd120cf8 |
| SHA512 | c1b0e9e1cc9e036b547fbb2832b25d8106c803a73e4ee70f04d121e7c35eaa4fd1f800da2f656f04f2f01c148a945944a9c86a845567a55d469c46ac4b14be95 |
memory/2308-101-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2308-102-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2936-103-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2004-112-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\meIMAUsY.bat
| MD5 | 6eecb900da40ed5d6eb53232aa77aa20 |
| SHA1 | c72654bf0438cb38218db6496d2b2fe5efda7692 |
| SHA256 | 0f2fdd80d31542307d2fbca25e594620fd3366f07a94d716e5cf046cd54ed047 |
| SHA512 | a5e7db8a71535f9750d32be18f096d310f6ca369d5386cb602aa0091cbea16faee1b6d8cf462b315f3894eda10e29814f2436bfe9674441aa27c6a94a676a3f0 |
memory/948-125-0x0000000000310000-0x000000000033A000-memory.dmp
memory/2936-134-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UIUMAckw.bat
| MD5 | d6fff3413062045df5e2caae2297f25b |
| SHA1 | 98a78b59eaf23bee9d646299da55e89d6cb41e9b |
| SHA256 | 7f093960aa7ec073ae78bbd417be162cf11deb0ae74a73f520779073c8ee6f18 |
| SHA512 | eebe4e3034e82ec12656f86106d7a7c8303076ace698679a1758889e7a50c72b8a76b3e1ba570ddfbeb4bd764317f3372f1b400b15a11e1b80e77a812fe3dd6d |
memory/2184-149-0x0000000000270000-0x000000000029A000-memory.dmp
memory/1364-157-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2184-148-0x0000000000270000-0x000000000029A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\EikEsAAE.bat
| MD5 | 7490da92f3f399dc20ade21e5e4ed784 |
| SHA1 | 23cc1e97e01b996c5ca38af2cb0c74734c46c753 |
| SHA256 | 0ebdb6239370bdc8d32a7925b8663375435214c9a8ba77b8e52e5f5af1adff86 |
| SHA512 | f7298fcfb39a586fed96a41a02dfbfda1e655692937d615a41b82231dea52a29c0241bcf8dbc8781348f2f501f123de4191f5fe8c7337ec65f29b1e4aa065cfe |
memory/2980-172-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2888-171-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2888-170-0x0000000000160000-0x000000000018A000-memory.dmp
memory/3068-181-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RiUMEcAY.bat
| MD5 | f5fb02ec9d1e9ddce306e16554442061 |
| SHA1 | c8b8c75ba275bc9d326d2a3d2780648689ab9f69 |
| SHA256 | 5ed3e4b38b43546312644dabd7eab4296ffca3b7d1476461cc43779761b0cf7a |
| SHA512 | ad4f2e243f882cef1e10663cc71e765f2fecbe3442256341457132028720fff21778b7a4b7293a096eaf76b5c98fd3b79014240c143f13ff1a4177ee005a83c4 |
memory/1436-195-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1648-194-0x0000000000120000-0x000000000014A000-memory.dmp
memory/2980-204-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XesswoAc.bat
| MD5 | 36ba5b8bc186b5110d2e785f141c2217 |
| SHA1 | 72e692e6266cd879b4288eb575d88c6c3354443a |
| SHA256 | 497c925a1234b01e97bbe4e30889bbbacc506af4584b1eac769b1e1c54787bd4 |
| SHA512 | 97d5afb6ca937c545b753cfc39609e4c82a0bdd93c2adedd9526df31b667926d2f86c53d21fae59905743296fbbe5281058c8ac1d730cee53bd942cd13dd1c37 |
memory/1640-219-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2676-218-0x0000000000120000-0x000000000014A000-memory.dmp
memory/2676-217-0x0000000000120000-0x000000000014A000-memory.dmp
memory/1436-228-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PeYkUYck.bat
| MD5 | 3853d8909cc367422ff88cc66b91a3c2 |
| SHA1 | 71781559243d28cc63ae5e39790c90e15b056894 |
| SHA256 | a28c382efaf2aebd552dabe24fbdd480d9b98618701b86a4ccbb088d97328000 |
| SHA512 | c9ee6e5f2df2dcfa0611f7f758d69af0444bb34966f909167ac3ebb1dc9cf3bc6675edf68e853665465f556a935439088004214ab605d77465c71e5cd77eb09e |
memory/2668-243-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2208-242-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2208-241-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1640-252-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PsoAIUIY.bat
| MD5 | 5c7bb030f3599abfdf1c5c77de0f1bbb |
| SHA1 | 546369b0fbe3e28787fbf5ff0fadd4757bebb58b |
| SHA256 | 330aa366eee242e6a0c8f1b55c897b2efbeb15ff5018ab244b1740f8effb2b6b |
| SHA512 | e78212dd2744f1406b9beeefc16f8cca520bd489a73e3540bb53253fbeae92c5eb35a3dfa230f3f9ee16f784047da829c717b736cba0ecded1ea365aab7b260c |
memory/2552-265-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1732-267-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2552-266-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2668-276-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sokscAgw.bat
| MD5 | 2a2043f3ea239c5c04058348ea46cf39 |
| SHA1 | 385b9cd6ead747e4a7eab1ee9a9929705024f259 |
| SHA256 | e9f923f0709df17c3f133cc02ca5118e585d1ec0b893b64f3eb751ab18d92d36 |
| SHA512 | b7f19e594a73430f0241e74443061b41d674b68102733bb808ee24b448625ef67e8b58fc6c78ee525f9ab0334472c76f39446b9de7f67a4225927dcc6427f3f6 |
memory/2188-289-0x00000000001B0000-0x00000000001DA000-memory.dmp
memory/320-290-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1732-299-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IWUwkoUY.bat
| MD5 | b7ed745949b184e701ac6da3f0e22dbd |
| SHA1 | d03279526b15960d043e21b8e342cf14c5706498 |
| SHA256 | 1292b47f5c308531794f81f54db4b73735f885e41c3b6e9486131cc5aaee1498 |
| SHA512 | 9c02ae94085197459b15d8cf3e6dac416d5e69a6939afa56b55c1608499ecb0607afac012a6ebdbb9163fc619b29889eeea44afe3174c8e5c12bf0e4b0c27d6f |
memory/2644-312-0x0000000000120000-0x000000000014A000-memory.dmp
memory/320-321-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qyQEkoAk.bat
| MD5 | b01ab430323125bec4c654dae5d25265 |
| SHA1 | ec1b869df5857862775a74a77e71702696a66ade |
| SHA256 | 3e0c698dafb6804d2cb9c754afe5ab802a23f6572ca3dcb0fea18ff8190079bf |
| SHA512 | 75b2af0313a6234ed49c21b31690a50703f2f641e124e54a44235770606275f939d13e6f4065879021c7965a89aa27cc2cc43387cf67d099526243d147e6792f |
memory/2384-336-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1768-335-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1768-334-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2716-345-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CWckMIos.bat
| MD5 | 11a61833603c750f8ae210d07d6c7423 |
| SHA1 | d13d793e21a6189d2f171f1d6f245c2ea745323a |
| SHA256 | 3a45821b4cd2e0c1c678508ea353a92a5dc7265d8b33ad086b540707a20ccce5 |
| SHA512 | 9479f61b4405fc8eb04d35b540ee41fe06209689ce8b3ea78bd860f80deda0dfb80122abd1146d6a024051b6573b09410ec63cdec35a11d73f14196a3f426f28 |
memory/2472-358-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2384-367-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mIwwkQgI.bat
| MD5 | e83816a80c4bc3c6630b29d2728e8cf6 |
| SHA1 | 07719f8e41ae52cddaed4aded4ebca3c2323e4e9 |
| SHA256 | f51571df0791670da5e5eafdeceba48a4b47ba3718a2cf0d89326dbc24989fae |
| SHA512 | eb4881145ae9857649e5e81834c83dc054aa0c26bb42adcadf58bdd8c400be669a7c530cd09a374b6cf101ae96d71a26af13bb5a219a263e0da5183a3a69f251 |
memory/2436-381-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2948-380-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2472-390-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xqEAEMgY.bat
| MD5 | a7074372206c27d1d0728b9932487d21 |
| SHA1 | 2d5efb852da5d788d94582c245dfc7dcc85fd241 |
| SHA256 | 0deb3586ede7a17c8e02ee847a2968fd395795309acd71dfa164ada5b783f744 |
| SHA512 | c1c418fbf735b9dd9baf9ed04f4b626065b4109705c3d2cacb64697069311946593eede1d6170f55263bcfd864f6ccaa643cff8447b48259e929304d62b4aeda |
memory/1292-404-0x0000000000400000-0x000000000042A000-memory.dmp
memory/332-403-0x0000000000260000-0x000000000028A000-memory.dmp
memory/2436-413-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lEUUIUAI.bat
| MD5 | 1b39961e10ca7f6ecd369b78423cc8ea |
| SHA1 | 305be5bf6153a7482b2b734b298ea0c01f170b8f |
| SHA256 | 722dc3c4bdd7d2b6be6920ec8d13cf60e4f31bc711e6256ac447eba31a8aff4c |
| SHA512 | 08afbf95ee404790671653f0233021dfc684e7e7b59fc5a8f7fa255b378b68f31a393d04a1b5f91074b2c92a9f22fc7127f266bd74ff6945a0d971092a3bc1f5 |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
memory/2840-428-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2728-427-0x0000000000160000-0x000000000018A000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
memory/1292-452-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wAYU.exe
| MD5 | f597d596ead7f8b39c1aad1b8edd7947 |
| SHA1 | 838d4331132a6633a1e592bb08f01a9cd67b3b77 |
| SHA256 | 0f6292355710bc910a08759e086b4d96f65bfe2071543ed4ed3de03257046f00 |
| SHA512 | dbe062875435768f7e6c4cfe92693b76905981af27e7ae75f5817cda8ceb0b8ddbffdf06e85f0971f236c76b78950b6530c4c0d00dead9b9269b41e7672e7368 |
C:\Users\Admin\AppData\Local\Temp\FsEggsIc.bat
| MD5 | d33e4d6921840e5e2745367dd25adce3 |
| SHA1 | eecf65defa90ce89cbd14bf4a60a89dca0fb2bcc |
| SHA256 | f15859a1b74dbfe02bc9cbd233fe38c09fa541e859cba5d388ede91e288df703 |
| SHA512 | 57c7213d7c26ed25ec336307697c3f39ea4b6eb5873b35a7a3da0934027d21cacd19b14fdfb94d6b77363ded191147659d42e0d065618d11f46f09c1e95009c6 |
memory/1816-466-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2840-476-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2512-465-0x0000000000130000-0x000000000015A000-memory.dmp
memory/2512-464-0x0000000000130000-0x000000000015A000-memory.dmp
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
C:\Users\Admin\AppData\Local\Temp\pwIogsEU.bat
| MD5 | 9d90eecf8a01ed5ad58c3e621b46eef8 |
| SHA1 | 97cbaf3d6952382751c6caae6d3d1de85e020c14 |
| SHA256 | 27de765ce296cac7eb7c94a19939e07643730319ad3f2f4add23386de31fba10 |
| SHA512 | 59c21f113c62600d06381ed7e982c314b5f2f1f8d96a1a1d76656ef7aecc5b1bdf2e9c1846499df30429fdb61d238bc11095048046c401a61e5f810cacbe5e5e |
memory/2920-488-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2904-487-0x0000000000200000-0x000000000022A000-memory.dmp
memory/1816-497-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QgQY.exe
| MD5 | b40af77548e0701e77d676c58c5880a4 |
| SHA1 | de37405fb1510a2d83f073fa8f831432fb965083 |
| SHA256 | dd745b2235e223cf9eb65afcaae44ba9a8a739786f8f9152d29d9bed8d9487b0 |
| SHA512 | 56b9f3ac799ad25b0b6993b1a7f6b7b1e875afda23bbcc5475df5ae7254d74cd701e9f76290b71839bb3ac93491587c2261eb41edcf0e0acc5e7dc595c4bf8d5 |
C:\Users\Admin\AppData\Local\Temp\KEYM.exe
| MD5 | 54935e450de716da7a5c0252740ffdfa |
| SHA1 | 666d5084d8e7cbda41896d6d0d72bcc429402ddf |
| SHA256 | 1f7148020344ea14bd8628d2d606cde5c0178ffff5fbd559b578b14f535bbbd1 |
| SHA512 | 4ab0d6f85a8fadd034406194964dff327fe5c792db0aa48e95e4bf506ff873e6bc64ed8245fbdb944115b590410a119bcdf7dc9104ed8f2c97a60d7b91133808 |
C:\Users\Admin\AppData\Local\Temp\AAgs.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\sUEA.exe
| MD5 | 68f270eb42484f8f6ce6c2c3d072c1fa |
| SHA1 | 59a6a190445f465740adf9872a04e3ce9df7093a |
| SHA256 | 1567634677e9f2e2dd248c2a2c8beff068927d461676d625410dc35d5c06cc5b |
| SHA512 | ff1b3c7db487a36867277f80294788e911743bb23d619a0c4e9fa9a7dcab156ec9d62aea9956a6f43fc11f18eb6a0db705fede663aac96034c66f1c458e1b76b |
C:\Users\Admin\AppData\Local\Temp\WEkUgoog.bat
| MD5 | 6c896130a457b85d5e6e4a415efa8d9b |
| SHA1 | f70f53c527ef9527e2f32e9d8ae27f8f6471fee7 |
| SHA256 | 301e71d4fbd1014aefd0947570d43746ace4a8239c67df62c9512273629e3373 |
| SHA512 | 28b52a0b0abfb354327988fe736bd46d8238177485c48f71cdcdf6c645fe6f8e564cc05ca8dc09df1ed6426cfe7dbbe8855fbd19d82c04027584de37511bfcd0 |
C:\Users\Admin\AppData\Local\Temp\SMgy.exe
| MD5 | 2b7b364446a6eb6194c3207fe2293fbe |
| SHA1 | 60f4b51c3d4065e33ed41e15c20fdb201c34d9dd |
| SHA256 | 31943c5f6eb66fbd23f783891bcb52ba784c146b1138cf7891b541ce91115083 |
| SHA512 | 1431104a321df848574953c5d35e6f72b465ce87b7896647700b3fd679e06f5d1b924d1522cc35cbe100cc20e2c7140fc51eb29ef944d26b5895251cbc64d050 |
memory/1744-561-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2004-560-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2004-559-0x0000000000160000-0x000000000018A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EAgg.exe
| MD5 | 565ada808ac531c04f02d65d4f6eb3b2 |
| SHA1 | fbba4f32a029b7f74ef6395ee3183b60875e9d56 |
| SHA256 | aa2a3c067a61115cd6d7878c3dfcb91db09a50c4a0fdfda52fa6136f102f2470 |
| SHA512 | aeb20231fa64a4c31d1acc9be64c493fa9617544388d1871311d781e07013c5c70727264aa14f191b7eee7d69264fa47a749c0cd84e0937f2b783d73406bf071 |
memory/2920-584-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ioco.exe
| MD5 | 40068f364dd9284feff3a3043e1716a4 |
| SHA1 | f03025b22742d2b634c84c82d9a421132f031a1a |
| SHA256 | a0cddc28a6bdd4adcbbbb59e5f825f8628b93d5705795eeed4cf5dde329c6720 |
| SHA512 | 42fb0186a40030620552b18e5b41023ab9e70e11d1cc3c0aaf06f9dcc8cc29d67ac725104907f430edd29b8ed2fb3934739eafd7b3077c619af756f2092f1982 |
C:\Users\Admin\AppData\Local\Temp\KAsE.exe
| MD5 | e31471b211f867c649f8bb0eb8d65373 |
| SHA1 | 71026d8cfae196e90f53d625bb54ada565b73c98 |
| SHA256 | f25d08deb60a3c45d4c82626363bfc26f23060a63dbb52b892a8b88fb08f0a0d |
| SHA512 | 9676cc139a7535c93ca8935562138ce50db46c40b042453b23978d854f2ec0dcd30017aa5818881356f431319b4c9ab5067b29cee60ca7b8c6ae7233148f7f59 |
C:\Users\Admin\AppData\Local\Temp\WcwG.exe
| MD5 | cec72c20d1b3b93ec2646af0992e6c57 |
| SHA1 | 2bd6ac319fea848e3fc4a173e66e16206b1e7bff |
| SHA256 | 1dc5485c5a49e3d5337c4fb988e2bbda148f62403b55bea2ce83241e2ade4f4a |
| SHA512 | 2a27b0774bf13193d9ec4d456284f6e718ebafe480fab139a5c67d8f8adf2321d56316d8918a9f3ec98feae44697cb92a952366907da83a6aea37e0afd1f4a72 |
C:\Users\Admin\AppData\Local\Temp\cUcy.exe
| MD5 | 22e4e7664cc8b8dfdd35bd94245b2556 |
| SHA1 | dc552cdc63e2d0319a0e4b000781eb37c082951a |
| SHA256 | 7c6a2d727754c5468a456c8e04c9951605724b237818dac33075595c58c9b66c |
| SHA512 | 732a44f182fcf162c8aad2b23404dac1b2d05c7a0d69434fce14bed473397214f29c6421b99c7a2ed5ee20bf7620da5ab4871e90bf2f6624371b53932b154a10 |
C:\Users\Admin\AppData\Local\Temp\aMoskcAQ.bat
| MD5 | 6b70afb4f7fc2293d31fea23ede2ad72 |
| SHA1 | 6e5fab9e7c9d481b02a8cf01588d69e3b7777f01 |
| SHA256 | 2db228301d7466a6cb1d8634b77c498743d9e5fa15c1da62c6ce1b8449d6eb71 |
| SHA512 | ef660c0b4cb3dc456fbcaec2f7e4bec4d82719fb0c3879d70ece514ceec2b76ede68588bc6b699ad5b2afbe62bba5c1a4b9eea09e694dbbf5cd6c38c275e6fbd |
C:\Users\Admin\AppData\Local\Temp\mIoE.exe
| MD5 | 6e5726113c32ce2a4b16a02c5648adf3 |
| SHA1 | e09d241acbdc31af0f7c0ea116bb12f14d533acc |
| SHA256 | 9287f0214f5d2d29cec2abfaf9631ac070dfd9ba490a8ef733187235c65d3aae |
| SHA512 | baf75f3fa858b8be8b31ccfcb48094eebed5547d3d16e60580023cbb4225b313e2836001f3b495649b308750b48f7fc374773e1deeb3ee19127aa1273ac7ee54 |
memory/1116-659-0x0000000000120000-0x000000000014A000-memory.dmp
memory/2800-660-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1116-658-0x0000000000120000-0x000000000014A000-memory.dmp
memory/1744-682-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MYEO.exe
| MD5 | d812b3daacf9c7b16b266c49b2a52919 |
| SHA1 | ff48b403738b8672703e27c03a3bb729f6bb4203 |
| SHA256 | b737e6be217021e86681facff142024ad0e4fd0117f46db7f30bc745c8f6036b |
| SHA512 | 509a279459579c01dac5811abb9822dc514597022c6288cd4ffef11c8652e3227a5e945c17025fa4b6bfafe49e83c3956c0c507d60cc62a279413ba77c1adf88 |
C:\Users\Admin\AppData\Local\Temp\kUIw.exe
| MD5 | 3f7c2c887d78843b00b4f9790ff9a906 |
| SHA1 | bb70fba0b8963494e6709a2d9b35e8217982a501 |
| SHA256 | 85c50ef6f53d974e76e5fa11abc20c436c2f60cabf1763da221d1979becc14bb |
| SHA512 | 306e50ce1f5adfd22c3c46af4efe5c061d5f19e852a9a1cb66a26ad51e7d2189f346f4da4a6350cbaa14b93457dd990d2a153757b9834aa3d1074f023bb987a1 |
C:\Users\Admin\AppData\Local\Temp\kUQw.exe
| MD5 | e9a485d354911bf95779974592746939 |
| SHA1 | 8033d04962859e8925bcd06ce5e5b60b5a755f1b |
| SHA256 | def12779bd2b3715bf7dfa93cec05221c83badb569a85563ee03b4be2e23c8a7 |
| SHA512 | 8df46afd63b72c45607144a4daae2adcd85a2f91a726f5e1fd995f68ac8d9d062c83e7340d448d6d9b558598e5c3abd54b6f7fe9500863db5adfaca0e25ad752 |
C:\Users\Admin\AppData\Local\Temp\KMgk.exe
| MD5 | f02b41d5ce6b960064d3ec323058a672 |
| SHA1 | 3c01f3e46b1c84064317c53de93aa670aa8c26f1 |
| SHA256 | 2f2b8f44e78eb54e9a6758c096726cb48786ea688ffd6a15810170f35b883e43 |
| SHA512 | 0e8cd636c1384f92196a4314e3c497ac55c15c3dc5dbd8050dfb62b6959d54c25d4174a20a619a9e4ceca106425a86651ce818fb39898e0177b7143da218a440 |
C:\Users\Admin\AppData\Local\Temp\KycsIMcY.bat
| MD5 | b7a47144872b7ba18a6fbc1dabe5c2be |
| SHA1 | d517c0fc9cc42e8ff21336f2169f3e5df364eb94 |
| SHA256 | 6665df8b21f1d7632802740eb68e97bc1bc3c0d4638b36a17004b8c1e9c8bb0c |
| SHA512 | 63e36264c2aa0aff95b1133f95c158314734fd324e7f6b6021c8d51e8d32677262d8d2337169d29259138c72d6002224b20cdd7c3042fa0dd2d0a85dbeecd98f |
C:\Users\Admin\AppData\Local\Temp\agcq.exe
| MD5 | 59a71b5a5c4403e381adc67ef2be5bea |
| SHA1 | 2cf1ec6d6e8ec05a3e2f461962b0cd6c3120a63a |
| SHA256 | 248c1a77681117de35c7d172f17a44d2c41fbfddacceb68afb4718fed84db0b2 |
| SHA512 | 8dfdca94a05a2516798529cf464b50ca7ebddb1230eaee3ce2d0ef0e3c70308fb3011cbb6f644ad209395305907b033767402c406e8d105365882f19845477c8 |
memory/2932-744-0x00000000001D0000-0x00000000001FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CAAI.exe
| MD5 | 5c6d8054f4ebf0a2a25b42b43f55a01a |
| SHA1 | bdd6bac4cc414c0fbcb08d1b78d2e707fddbda84 |
| SHA256 | 92d414ed017ffb9bbf82452435160c5aa60547891453314a58cc117d662f7de4 |
| SHA512 | aa1e32480ee41725c94d05fb08ec33319f58b19eb5211cc045f9dcd38cdb3ddfe9e0f451930ad883dbeed1f0c8544683444c38bdacb674438a2ecbbf20cffce5 |
memory/2932-759-0x00000000001D0000-0x00000000001FA000-memory.dmp
memory/584-760-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2800-768-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IEce.exe
| MD5 | 627146e8a35ee2e0c869cc7f1296a529 |
| SHA1 | 6c72f9cf029912326a3156a891e405d6c804a084 |
| SHA256 | 01097706b7fe93f30f9ae090f87810f98d448023f339744372c3e5a06c684362 |
| SHA512 | 28d128ec0426a5a43f70376b82f0f8931bb8205e10df05947ec81647160861afc15505619ec051de6da2c8c6f79099ce56d3fee5a825ff5df6aa4b441efb4658 |
C:\Users\Admin\AppData\Local\Temp\WckQ.exe
| MD5 | 1d5153753eaf0104558559c7c46b00ec |
| SHA1 | e4168a70b2fcc9465395f426a8364ac9885b6622 |
| SHA256 | e6ce076a1c402761099f26bd21b298fdaa4a6090078a8de3549d3c8012063404 |
| SHA512 | effcfcf042da97bc145b348af1f2dd43441f1775d4f82fb70f95dff65072dd3aecc4bf11260213bd266e3f221af8617f9addd3776a3e762d89bb35dc832c9015 |
C:\Users\Admin\AppData\Local\Temp\mIUa.exe
| MD5 | c60ebc0f919c1e1f96f85a17ac6cd72d |
| SHA1 | 46c9448222bd91bd391117fee3eddf694ee618d4 |
| SHA256 | accfed78633405f3d43abb8685a969a33ca78072cb54ca3f72d16f53d72586a4 |
| SHA512 | 8564a66c92f0bb608d57db9c3666fdc20f96ce8eb77274794a73bee8f8d20311d9e6dc6aab1cf107c3f4986c599089e3674b36ba7a0cd29dded494724afb90d0 |
C:\Users\Admin\AppData\Local\Temp\esYU.exe
| MD5 | ea1c02ba8a8749e7c99e9d2345508f22 |
| SHA1 | cf5204dc22f10a2377e8f8608e49315344c213e0 |
| SHA256 | 08c22f649ba3ac3faba679e0911d6e3fb81c979c6f04fe742a7d05a1f653970f |
| SHA512 | c4312970a7c10e05c869d53e61bda250f675f2b48ca6f95eff4a82caa72d8babaeb54c7475c4d6b4321824829aecb576662e932f9d79c19c7caee4662bc1a866 |
C:\Users\Admin\AppData\Local\Temp\aMMi.exe
| MD5 | 2727cf3c5bd6f7443b53e94f2c0b4cce |
| SHA1 | 90bd14aa8f6cf83f9265395ad7567c1115700147 |
| SHA256 | 5988d571c6fba87fc399f3b4971cac5398e1b2db117243a2ea64cdb0905f3405 |
| SHA512 | f8f15b8d3185f84caa2d58009962339cf5959d6325b7545da2d7653a27fc97c3cb3a209f3f92dbc45572fcc002002ec473a8d886a15981858304ceb5744ac27e |
C:\Users\Admin\AppData\Local\Temp\iMUoMcEQ.bat
| MD5 | e87358df0a2b853a0bfe7aa7fd5257fd |
| SHA1 | a9d11b1f8826f84901b892d8bc243fc90320d328 |
| SHA256 | 6af5dc013d4da29d503011bfa26653d94bff5a7a68e439330d1e6a8c5e78da09 |
| SHA512 | 37ad821dc4c97a23ce5a71a309139b4a1c61832effc8b3b320525b29c95d21176a2da0e8ac2c703b450ef8fbd22c51524ec3e2880586f3791f5441785bbfcff2 |
C:\Users\Admin\AppData\Local\Temp\KEUK.exe
| MD5 | 1bc433434e86ce5ae1bd0c43cfd0dac2 |
| SHA1 | f905f7188d7693bc5d52a10a52a0451979c3b27a |
| SHA256 | c427d3c9d78ff8f996f6eeed8dc3b4e7f79b3cb1926ac2b6f91b5c343f8b2c26 |
| SHA512 | ae4b9f4c412eb3896f5660b391c49c7ef5f6130a39fbeab84e5f88fb0082d691dda3bfa98142f4e325a02ce7ade54023ae28d022f5378825bec19490040192da |
memory/2140-867-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sMAA.exe
| MD5 | 1707f535ed123755a26f0d905794392d |
| SHA1 | a52460ebcfa32a2633258694b47f95267bc38567 |
| SHA256 | 1342ee5f1f241667176a6bd64d6ef38a0b8f6e0214c519493dff9bedfbef0f06 |
| SHA512 | 5b24d761727b2cadff5e1deed95ee36f6175c3f71c1bf3ee4816ce57cc4c659d25b546a1fca04cc8f1ec33fb1aa13a32517216bac8d480c5519402f4fd39a182 |
memory/2648-862-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2648-857-0x0000000000160000-0x000000000018A000-memory.dmp
memory/584-878-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CUYK.exe
| MD5 | aad8e8a6b59dc8a62acd08219605a2ae |
| SHA1 | 922bb2554a0fd9b625fa8e965212843cf70e5f3f |
| SHA256 | 63d1837d63b108acf9d2aa1034f07bd62329934520faa4fa5fd81beffb946198 |
| SHA512 | c75e4c45a76a799c98112eb3e21314a04eac2b1f3db9aec455138ef57681325b55baa4f2551e2aef66a7245b89c9092f4b698c51aac5481ba532cb04db1eb5c1 |
C:\Users\Admin\AppData\Local\Temp\PsowcQko.bat
| MD5 | 87827832b91ef9f469e259bbdeb44e61 |
| SHA1 | 23fcbaf069d94a1ef0222246ae24ee92dd77a158 |
| SHA256 | 6d052a4f79f58a4dff1dea9815b964fb42f03a21a073909a6ed3144f7ae0d776 |
| SHA512 | ede68706c9cd98767fe4934906fb020f283e24fc37abd94811926afd021e8be6ec4a6cba690053bebfe332590ff1a5a976087f5d38bcd3b961b4572df69b2b1d |
C:\Users\Admin\AppData\Local\Temp\Egow.exe
| MD5 | 4b33a56082cfe7090897582c2e4d326a |
| SHA1 | de694a6e39606a9a5cf39d9b7dce9efb54e93d2e |
| SHA256 | 0f792e53f01d37c4073692006a63dba748ef586896e148a8314145ea47b4daf8 |
| SHA512 | 178d34f2d890b88e6433585161bf118159be893c55e831ae799d6f983b0efe77d781b9f661d0859f2e476a6fa0a7b15e31f7ea8d1aa2307e6ea8bd7464712d96 |
C:\Users\Admin\AppData\Local\Temp\iYkk.exe
| MD5 | ec23e593816dccf225afdbd928965098 |
| SHA1 | 21b96f04753dc30fceac61be1bcb485a23085cbd |
| SHA256 | 59dc2649831d80ae870513051e048fda65b2d79076a380fcf49e8815751ce61e |
| SHA512 | 4a4f148ab6eb566610fa217cbc41259c5e3c9cf28a725657d019ef0cb5004bbe20010a897199dbd5e2618b7c4916a7bf0e9bb3e516810d528b72f749ddaa5607 |
memory/1528-916-0x0000000000130000-0x000000000015A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wYEa.exe
| MD5 | 1cc3422f86c42acc723087fede13f282 |
| SHA1 | 4fb4f7df3a0b04d515e1cd774c48d8b08901cb38 |
| SHA256 | 040b833b777531d2cf97a633b64775d2fb50776fefad6422ea660560d7b16da9 |
| SHA512 | 5664d39daaf71951838e15e7663a0793c565c7fc107cd76f2354249245645fdfb9ac3547e3b889a4fcf93cd97900aa6d66766d4560db983df7cbb2a5a27c115d |
memory/2140-951-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MYco.exe
| MD5 | 6b2abb063de46942a45dc1d0e2e322f8 |
| SHA1 | 67841adcd5c99999bd79066538960e963f539967 |
| SHA256 | d2f7b2f0d949df101307f3626a291738587cfe2ed75b4547a8908c01f5c666f8 |
| SHA512 | a71335f4ade4d3ee5fb1dc8427ed22389db1d60dc31bda5a7797d2ce7384d59df1ea706a1f0ca0a6b3e676ebf60ace5761b739067b60b724f85e677e89bbe55b |
C:\Users\Admin\AppData\Local\Temp\MMwQ.exe
| MD5 | 715196c3c4c0a4215538711938da5fb4 |
| SHA1 | 98cd72cdd70db1c18a2e0a364795e4fae1fe841a |
| SHA256 | 3b73fb38a10c1d8644a4aa7e30ee613d0e3a3cc2eee6d0884fd4e07bc943ab3f |
| SHA512 | bdbab0a354e98fcc28143df9bdd7776b86c560c7a213966bb4afda65dff8608e6cc61a1cab2891b63319c522314c6d904b8b70f6278b54360994fe0d20e9fd77 |
C:\Users\Admin\AppData\Local\Temp\qooQ.exe
| MD5 | 520b14de6b13598ab541c857205d7f71 |
| SHA1 | c2d8073e48a6d2938f3bb7c6e017228222eddba8 |
| SHA256 | 37d41fd9a58693e50b3568fabac1ce92cc6eaf001aac43e1b1c43cca28416953 |
| SHA512 | af8ed03516d9dc557010eef8297bf5dba25590d66c9470f92c173d9a0c783f258b931273fe3ed5000fcc48d2974d1170b163286710c0fe38e180add5f24c9b08 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe
| MD5 | 0cf6d3d7ed6285b05a026c9d53b904da |
| SHA1 | d1defccae54cae22064fd6bc57599c46e307e89f |
| SHA256 | a65367d51038900ead06cd9f0e26cd97f17746c164869b2d64193d6b15528cdb |
| SHA512 | c288095203a241b276ea314974fdb83c4621b6552cef1d37b5bb8a2c56d1c61f298a0484ba5641cf7b1de64579e20a727aeb4c2cd465693db7a5486f9ee4649a |
C:\Users\Admin\AppData\Local\Temp\IMUM.exe
| MD5 | 7cd87200c0846bc25a9b896c89871f76 |
| SHA1 | 3428b7899ce50b666162c58aa1a1775f2bf09f99 |
| SHA256 | 5bb67d296281f97bc871e9514c1e4ddb41aa649e34bdd9c7394224bf83067172 |
| SHA512 | d52d7ded0105dcce97ca492e85e836c64236e14a6341d9325377412576d041005503fbc749431bd577568f11aa55ebe79e2660eae82d79d3a110f8cad5cc7c62 |
C:\Users\Admin\AppData\Local\Temp\JWkYwUkw.bat
| MD5 | 720dd27bfd7fcd41ca02af7095338353 |
| SHA1 | a40f449f86aba87b781cf88262874a1a659f9aa7 |
| SHA256 | a3c5aaf903edcb634972bd886ffb590b52ed54b54e06f3e0ebaa3334cdc26d3e |
| SHA512 | 60ecf435693cdd1deaf50a752f4bf8f0c0aafb0f16d1718f61936a20304e7e9dffba1efe190840b5ca25ad37efea0bc4fddec6da44428d3afbb2edbda9d273fd |
memory/2132-1026-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1640-1028-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2132-1027-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cIEa.exe
| MD5 | e2dad5e2b01976713a7c72b3556763f8 |
| SHA1 | 8548a80882c0aba4a25c883e1f72f519dcf238cc |
| SHA256 | e9ac93cb1ed06c356e22c47617bda2853b58e6753cab24cae89e7cfe06379633 |
| SHA512 | 77555bbdf3c8b7fab711609dd04075d2df62284119604c1f8f15a34b15520b3df19a89d1ba374734c53e5516ec6b2ddef0bbfe0d4893bbded91dc46b11a570ac |
memory/2008-1050-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WsYY.exe
| MD5 | 3001f4848d002932bf9736167b76092e |
| SHA1 | 06de478e2207b30a5264de2a8d53dccc9b72c596 |
| SHA256 | f62dad47b8ef65cd1c74f1125eea157ea10c721eadbfbb6bd6a6bb48c43ce45c |
| SHA512 | f3c029fc4b95edc42e71b8e99f5096f5012babce2bf7f8ee141ee2498cd6bd95eb7565a3d045a1d534496414ad312a36d6f702872b1ae23f0ac2d388aa3072f7 |
C:\Users\Admin\AppData\Local\Temp\QIQk.exe
| MD5 | 67995c6de29ec3c48cc76b9638660541 |
| SHA1 | a713ee69fc138695c205c14d83cdd3075e10eb70 |
| SHA256 | 06e10cd621ae876f30b86b715cb4e2b0ad3c5f60518991196f8dfe5bdc25cdd5 |
| SHA512 | a174530adeac10bf51f9d354e09dd9d32b7c55815bf7aac60c4df222530b01a87e6d1c63286cb8463caf39adac7855028f903903df7a46e14ede31ca73847f95 |
C:\Users\Admin\AppData\Local\Temp\CcUs.exe
| MD5 | ba0f965a25bca6894250072aa5cc349d |
| SHA1 | 51fd89192c1815caf63b5e3fafbed13d59cfe667 |
| SHA256 | f956948558a550b868ee33a1d2c0ba4f8ac6a33df757374347dd16c4003b8598 |
| SHA512 | a3ab0cb636126a5f92e5d43f3bd1e12d6f3d6b4079f72fe2b2dd5dcb1045279cb81dedbf3762a8bb90acb0dc6bc7861342017252c3007a3c2dde8b85bd498ffa |
C:\Users\Admin\AppData\Local\Temp\WsMg.exe
| MD5 | e2b5da58448376db8091de104452e0a5 |
| SHA1 | 551bee3f6c55b2a384b512fe87605cb77dc77959 |
| SHA256 | 30af27003dede68f10ad384b065a393f132929044d902ed0667dd07a68cc114e |
| SHA512 | 4d89337de5e404a957c18752fb44730f492ea3416edad3075ed20f4382acefeab20be433a9770e0478bccdb666ea1f1b4f7c3da0f16e62d9b16b195f60b2439a |
C:\Users\Admin\AppData\Local\Temp\ikcO.exe
| MD5 | a3078f53e73a93d8272f017709d9cda3 |
| SHA1 | 0aceb01d035b22a70c366177963c919d92495f4f |
| SHA256 | 2a01ac000483dd00a97ea11bcd660d861b0965883e85ea0131e12e21a48621bd |
| SHA512 | 91db3f348a6cd7c7feae5c09349a066db0d3bc6ad0cf2463420705ccad2f0f565a037627d1cbd1ef09c0365ff0a44db771a2f5f297884d8c61acd7b673b945ef |
C:\Users\Admin\AppData\Local\Temp\lgMIkoMI.bat
| MD5 | a435fd6e9fcd2e40213ffb67175dd399 |
| SHA1 | 61c42fdaf794f1b43dffcf60982834b8e43265e7 |
| SHA256 | c797de09d819de86f025e23791e3fae6ac8a71b53b9d8937cf2d7eb30c7087dc |
| SHA512 | cdcec35c1f1e52d27159679ec725c096d4c2c97b83e3cc32505e78c647951356da5a8919e4d7b0c4acbd0d0e00bb77ce0d30741793bcb19cd272ab0b3ab5729f |
C:\Users\Admin\AppData\Local\Temp\igcO.exe
| MD5 | 0e63e150aa87cc1c7d20d82cded082bc |
| SHA1 | c12175215d2ff7aed12b86e66ed030b7156ea6de |
| SHA256 | d37ccaae5b3db3aa3c0d44b2cbc0446055bdef81cad03a095d511290e654b68a |
| SHA512 | 53bb029d12a71bfc5b6433b3ec631b4e8b37427d6eb3d8d30421efdafa6d613d3dbe6348cd64a289a4634aae654352de5272ba00a1922d5f1dd5249166d2baa0 |
memory/2804-1138-0x00000000001A0000-0x00000000001CA000-memory.dmp
memory/3068-1139-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1640-1161-0x0000000000400000-0x000000000042A000-memory.dmp
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe
| MD5 | 9edc7481db98d32f39b347238be8961c |
| SHA1 | 4fd75fc1ab7679aa3441a974bb7c8fc78adc91e8 |
| SHA256 | 6d575f96a49f0070be25b276736dac7bc2f87a14f3d90f8ec2ecdb3e619f3aab |
| SHA512 | 3c927cadf07c15a293113ad4cbffb77b0affb543508cb3c1712743bb2d6a4b562969229c563f568062fee1d2a8666ae159dde40f64f4c6bbaef382cad973ce74 |
C:\Users\Admin\AppData\Local\Temp\SYkc.exe
| MD5 | 4e4e5f777399e081a3ce6087e5c0cc50 |
| SHA1 | c6c7a40226b5e1a75f02456f14ab296ee910d6db |
| SHA256 | 9356fd5dbc91e8498c25c63036f97147ffa7dfc123b8c8c8930f499439fa0aab |
| SHA512 | 4a4a92f8952150adaa23a14abfe0a96a0054771e223b636635707406787937b48ab81a44fdbb0851ca28f05cf6d6e2eb47e201e6ce072c4d3b25732408f55f2f |
C:\Users\Admin\AppData\Local\Temp\uggK.exe
| MD5 | 82a151ab7c33d6672b723a7de230ab11 |
| SHA1 | c55d3be79902507cad0d6f938de1c8ac18e9910f |
| SHA256 | 459f3ca3c5699a971989290b76031964b80e8fbd8544d470270da822edba021b |
| SHA512 | 105cf54d146674cd2dfc09e8827430ca9e44483713c3f611489020db99cc71e044a7e02dabf3b9a7563cd08f49e211857fbd29df243417ce0f6a8e6311594f96 |
C:\Users\Admin\AppData\Local\Temp\CkgM.exe
| MD5 | 233b2554109c1b09f2594e72f49aaee8 |
| SHA1 | 88e49861d5dc58ec3702e16ab4218c9a438ecca9 |
| SHA256 | ef3da7a3a6ca503946ea8187ecc4f5ddefdab3898c42b56f12836be214560b12 |
| SHA512 | e081f560d3380e6de6753e38b662671af617e065e5e3cd9351390e7e0304c4bc426602c5d39e3852d172157ef22c13f061826bbe4842f2b11d8c34298b3cc821 |
C:\Users\Admin\AppData\Local\Temp\owMs.exe
| MD5 | 80c33b739de987dd7c6ffc606080e29d |
| SHA1 | d3c9861076e6a3d410a45a433a57b09905afbfc2 |
| SHA256 | 0e4192529ee4e1c3d890cb51e5276284d80c0621ea6020969df20295b03d6752 |
| SHA512 | 7fb40c9e0b2d43a2d0ac85c392568b3c546f6b8e2b8726b4b265eaa652b2faf3191c0dd11e5228612d8114d7b5370c9232ce5b711db232f9ba49d2d060d75d5b |
C:\Users\Admin\AppData\Local\Temp\QIEy.exe
| MD5 | 28faa9cd4a574abb8ed6a94ea35b0655 |
| SHA1 | fdb76ec6bf6fd65b4019357c4c70fe518033a0d3 |
| SHA256 | a26d486dcf7567d35e1eca66d5d4233fcac6bc3c3073262a8e7a92e399ad6e6c |
| SHA512 | 783ff9e6d1783d7e398e0985cfc834d32ea43afdd3ed73ad2c833245b292616888a48de39f09fa094a45a0dd287973cee1d9490d8dc8696bf8a3691d21712839 |
C:\Users\Admin\AppData\Local\Temp\BUIAYwEc.bat
| MD5 | b5e4ad79c1ca5f9989064f975cc469a5 |
| SHA1 | 4f8b31e4eb5d2af790ef4794ecc63558a6fa3ef8 |
| SHA256 | acd2126937537b4c7c28b585e7d3bef15e1feccfccf9a526ad14ec80792b1d10 |
| SHA512 | 93828a36a61cf283a5bfe1ebfbb98673893fcb2b5aa614a0480fb67301ce4e0e9649f0d95ba76871c77119732cc012c47eb390cb974f5b0274ce3976d0dc9de3 |
C:\Users\Admin\AppData\Local\Temp\eMYW.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
memory/2896-1249-0x0000000000170000-0x000000000019A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iwMy.exe
| MD5 | a1fe94fc1314e48dbf785f9555cfb0ce |
| SHA1 | e122ce7e8786616e455b5b58da7bbe1ee8c970ec |
| SHA256 | ffa801dfe04707fe6a2bb7d6d4057609c3d75d6139834b9babdeeab56dcd0ac1 |
| SHA512 | 54f8eb0c01aba5500dc14bb061e6e7350a927a8ee210c1f3e30ae0c5e73e12336c3110ba81076c46efc29625b8804ffee5d00ad1ad9c7015d68c5e82398c95fb |
C:\Users\Admin\AppData\Local\Temp\SsoG.exe
| MD5 | 3d079395df929b3d7f2a1f4b611ca4c7 |
| SHA1 | 1df1de3a58028588c8f838ce4c020daab036770b |
| SHA256 | 418845aa5ef783c730ad4016f9fc072ac271261f9e38fd4e3262339ff4dde94a |
| SHA512 | e30a17d544c55ddac42edb85ea9634d8ceb5c4ee125067d9b767d0ce869f7fd3fd093ee19fe151bacbf43d4797c6d8a2a0617262d58ae19f12af7fc5c1545673 |
C:\Users\Admin\AppData\Local\Temp\ScYs.exe
| MD5 | e78113a0137b43f8b6188a891253912c |
| SHA1 | cf372231d03b35e7fac7bc731fc0187220aa3a16 |
| SHA256 | fc2d5d8c4cb2d9aa7cd156929e693c04389a04b7edb119c98697bad6c5561191 |
| SHA512 | 1ebb9a6a1f728d5b16f3910e291ffce3b1a35582a3a36cde1586a4119f888a42c652f0b8527b71edbe7e25803a19b22e2b45e2e8cb7b32bef4fd208ef554061f |
C:\Users\Admin\AppData\Local\Temp\SIUm.exe
| MD5 | ab155b38435c8e0675e39e0430101432 |
| SHA1 | b141f835e5e5ac5ed716ce4de3cf4cd324e47af1 |
| SHA256 | 899dd7dbc2c12da3ddaee0705d9de63c5e730b5df684b6cae3c858b59f96b60b |
| SHA512 | 0b8fa7df1a3a8643d1b45bf943c12a3b557cfdb280c72421f86e80e5baac66210306d8dc7f149700df5782b5259522aa03bc2def3bd7922a13d4a662aec94e4f |
C:\Users\Admin\AppData\Local\Temp\SAQAAwIE.bat
| MD5 | 7803972bf5164ef80ec66604e9620882 |
| SHA1 | 23a6e65ba40cbc946ebb8bd750ac4c94cc7ba4e4 |
| SHA256 | 430298bff2175a234015f00ae89168786e0177050ac17cefe8a7734440ba774c |
| SHA512 | 6c99da7ab339e296c29e7e2b1856e601716945ab6f9e7c429f339330efe55b2e53a3a3fb6030d4e4258082c38937ef0e15189ed1553a83c763d343532354ae2d |
C:\Users\Admin\AppData\Local\Temp\QYIm.exe
| MD5 | d67e1af5051bcf9bc06402b825064371 |
| SHA1 | 48b15704cea249f6b74dba2c867cf7693293df53 |
| SHA256 | 2959223c3d3dec6856635c6466001376328bc6c22c295cb36d145e34b85007d9 |
| SHA512 | 19655af3a5af3960ea3d5c76f010febb2975eda9d65d838266c884055aad2fa2c0b782ee5fc505270e3cf31dac9c9c2ce8ef7860a8058286d180a3e0e801f197 |
C:\Users\Admin\AppData\Local\Temp\QUIm.exe
| MD5 | f68f126a31b6fbe6caaa6f38c3959db6 |
| SHA1 | aa2b9c6288c814b4cbfd3018f139b879a77b6dc7 |
| SHA256 | 1ff4fa9104d04ae5adb3cfab72abbe606908605981c90de65c173d802c1b3f10 |
| SHA512 | 810e9408d547d12980d3869346377b40555cde031185173a24591286c8187ea7354ae5d27a9c56db356abb8bb93d462475361813965f221ef4ac7c5b4145c90a |
C:\Users\Admin\AppData\Local\Temp\MUAY.exe
| MD5 | 448a09f65f844fc31418fa05cefa0403 |
| SHA1 | ed92b891806e632e6837ca001e112c8cdb8e49e3 |
| SHA256 | 2c8087e6b11d8d659bd6c98502cce8b282fa757742edf5c97873e70c03eeca5b |
| SHA512 | f5963726e61a7a1411b1566b0215b4ef478db5c916c24fe4cc9ae8204c2a71595e98f037a395e5e9fe21aef909be1b8759fc90ad3dd327fb80f2b75efb601d20 |
C:\Users\Admin\AppData\Local\Temp\SmcEkYsQ.bat
| MD5 | 133da5b52e11fee0ef5df830596f926e |
| SHA1 | 62d7afd68e60b152a0f98f71718624324722a734 |
| SHA256 | 1be7f8fc381ae55976541794839d702b5b4d53630876e869030c809baaf321de |
| SHA512 | 78452b5f50befca4581ea19d7d0a30ff534937eb86241b77c54dd3c53b623c0cef23b367d73f0cf3f2e673d7d9c7cd46710bdc087e900faca46fa04c8aba6e77 |
C:\Users\Admin\AppData\Local\Temp\IoYQ.exe
| MD5 | 54aaaf1275118c9d94a4d36fba137210 |
| SHA1 | cbbfca21e67324eb896af8da6b60a133846883d3 |
| SHA256 | 870e4fa88bc04c02d1d24ea75b72957e60ea2449514b5c847267b10528f92a31 |
| SHA512 | f40c56c7c40555fb1b2873a13f0cd01a2346bd8fcd9eb745f19dc7a50fb0a43cebbcaa62e3d1673f0073527fd441f7bb3c8187c30071c224df1e5a5dd2b3b891 |
C:\Users\Admin\AppData\Local\Temp\iQkU.exe
| MD5 | 21d34ed2e6c9ecf549ddfe7ba9f7044e |
| SHA1 | 6d6aa8d74740939e9ab5aeb2bbb76371923827da |
| SHA256 | 887a95c337ccfa878216d0542319c27a7a2c3d03feafefceccf831cf1d352c52 |
| SHA512 | 6afb4ec90cfc76e2c4d0de81cf24a9adade0794df9af6ddc95761166744901f40fdf065e4add7b89cdac8265123b9b19a5de82d3854ea7a465c2f3115b2c70e4 |
C:\Users\Admin\AppData\Local\Temp\Cskk.exe
| MD5 | d66298ab34c71b13cdd73f40b981bbe6 |
| SHA1 | c19c29071c601bf4aa5db65d14721ce4d32ceadd |
| SHA256 | 86ba659433f06c28d6be4c9a3e266e20158b1b0865e2fb3f55c826ae1b9588d6 |
| SHA512 | 202221a502feb108957bc2fc2a5db269ff9ad38dafcc073532fb0678b4fc1c7b43902ae863bfa906652d4f05484dda54ff887fd14a1838d16aa782fcbe0b31a0 |
C:\Users\Admin\AppData\Local\Temp\KgMI.exe
| MD5 | 9578f0e582c9dd0a9de06352e1848804 |
| SHA1 | 27a4adabfc94c63283ee32d12374b68b8a4ababe |
| SHA256 | eae80e4cd208b2277ec2af93e403cabf36e74954874e9a65a05847cf386c60b3 |
| SHA512 | 795d0e9793a8158111a20e6a13e2e2631863e7cb6eca28f9074b1649b495832a81815d8bc7cda61151cbf166a6881c4b84b78eba5b33cf75dc7662a7bc5daf28 |
C:\Users\Admin\AppData\Local\Temp\aOMscMoI.bat
| MD5 | 5e743912420feabbfcfbe082fe3a627c |
| SHA1 | 4f19917e461ccac36dba02e29426cc52e2883e13 |
| SHA256 | 0e9771580f1b7cda6334824a964c168dd23c3b4f559ffd43ba44ea045fba64d3 |
| SHA512 | 352af8861196ed7f8ccc0dd4dc2b204cf6a6cf2b70a2b156b17e79bf22299db3204b7227bb81191b80c9fcec8866272b0391fbf748f1488aaec29e6b01c2a7bf |
C:\Users\Admin\AppData\Local\Temp\ykoC.exe
| MD5 | 8a167a81d54a8dbd52e3f1ca4d9219e7 |
| SHA1 | 3d2e57ddf608cea6eb46e8285e51ac59c6f43e28 |
| SHA256 | 17ba3d32b0e3da00c671779c4d51bd547b23f86cc34483c9bc3a5f5d45cf2b9d |
| SHA512 | 55b02ea66a2222df67d3048261343996464146c61fd82f476d9b1caee5311a91d9b3133f7bfb742c987107fe09d97e5bbe5818d801614df4835088e986b9d96f |
C:\Users\Admin\AppData\Local\Temp\KcMW.exe
| MD5 | c78319e6674e1eaabb534f015435a7df |
| SHA1 | 31073114786e89f7a21701a55bfcbd09134885d0 |
| SHA256 | 74707e8a727041c0d122f955f71ec716b5bfcfb6708261a54a10bf31e38ca0ec |
| SHA512 | 3c9f17f656385fbcb3dbb754bd5cbaf3cced0021677a8f4b12b4632de2293ab060977a282d9e8ec746baf45ce05a882fb5870ab31237a1ccc6d0df2c52b670bc |
C:\Users\Admin\AppData\Local\Temp\GkQw.exe
| MD5 | 59e045ef76e4ee6adeb07b261a9d8435 |
| SHA1 | 82a7180dfdc6fe3a9076c3054f46719f7e23392c |
| SHA256 | de31fb3c0a3e60e1e54aa2717b944794b6ed59a7b54bc126d9091b6a4cb0c974 |
| SHA512 | 9f26dafb03f02443877424ed9e5ed1463419721fb26710ef7c449075a5991bf65a7b122d9503f7fe6528e2f75a6593beb75c11cad7000701a048d54f9bee3208 |
C:\Users\Admin\AppData\Local\Temp\ZSAMUkcA.bat
| MD5 | 5020591c4ce9db86f07aea987efbeb16 |
| SHA1 | d68e13b73b84c4eeeaa9d2142a1ca0a79b3d4766 |
| SHA256 | 3ec14e980f55394ebb2670fa509c8494e7f95b6b685a09bbb9e21d12d39afcf7 |
| SHA512 | f8b5ae586a6d6a2d58c019852612bf6872d944fe65291ce4d5f44c6ca3911c3013809a30653d2023e7679b56fd63f23949cbef382f5702f8f10a93f4427380f4 |
C:\Users\Admin\AppData\Local\Temp\gEUG.exe
| MD5 | e74397bdce1e4ef8f23631a32b2dbc1b |
| SHA1 | e10ef92b07afe6aba1b9da6a10e4abaf91e1a71e |
| SHA256 | 27b20d90ca7aa5c184a7a880f64d58f5930c43d721ff77e2c7c50985fcf8f7a3 |
| SHA512 | 15ccab22b55ace6d22cca78d09748fb48c86ad4bee19e63ca99d58ae3b552c5f7e608470250a799a2c01370391e31415185eed936454debf2b8e09e0256ed6a3 |
C:\Users\Admin\AppData\Local\Temp\ugsu.exe
| MD5 | 913699353ad98f7d64ab9dab8c867b1a |
| SHA1 | 4f15b6d80b12fc99acf409f4ac15f74d02b77ba9 |
| SHA256 | 4137a46e3fc0671b70d5cc150bfff31d8d9a916621203395af34e8c1ce64c82b |
| SHA512 | bc15a0ecd643e4cf736d73b57fec721db12672f9d14306aab162b7963d8ef8886a3bf112429da83d2d9c57eea18db6cec8a6e508c49aeb18dcdff933273cb722 |
C:\Users\Admin\AppData\Local\Temp\yQgm.exe
| MD5 | 179c2362db2a6adf0b4526c1f7c315c2 |
| SHA1 | f13b125d485b9972b51254fdd0cf70aec659f80e |
| SHA256 | 3c505b51ba95153d99ba330cf0b8734a22a9300981cff262afdce46c9b417f4c |
| SHA512 | 3ce6a288c9511d6adbc7583b9227e546680d6423d2e4a7d3ecdae53f3238626a8e93a1e65be7309bd976e6416add64bd28b07a3004ae59dee20ce7ca7e840501 |
C:\Users\Admin\AppData\Local\Temp\qEkc.ico
| MD5 | 2239b3cfdb5b6841bb2dde95edcb306b |
| SHA1 | d027bdec9a533832ddcd54bdcf318ef2a0da8e60 |
| SHA256 | ee2532e247bb7274af8769def697dca7b356d65706d3753ee317bdd34d72a6ee |
| SHA512 | fd7f1a89ea4cc76a89542d5b8c1ef6461261e9190d9cc1412cc62437eacc01702b729eb5c951b5db66270640f96608b7e30ac8f88b276f4e79056fe80a098c1f |
C:\Users\Admin\AppData\Local\Temp\OQUM.exe
| MD5 | 15e060bde4fdd96934a637a489ec1d98 |
| SHA1 | bbec26d60bc1162035a9a1e4bead7b02b94a8ec8 |
| SHA256 | c26c615fc49519049d7a8cf2ea002039d702a4cb5fcccd9a88089f46cedb3b90 |
| SHA512 | 1a925fe074630b992196fd5a5ff8ba20318f84a7a3e64c745c852a512e70bb9ab18561d8d0e9a903c8ad20102b4393fb2625e0872477914639a2d1b483807115 |
C:\Users\Admin\AppData\Local\Temp\CoYy.exe
| MD5 | 1146fe2ab8833ba985f11618485a72e4 |
| SHA1 | 71f09554a4f9c96f4b2a592b739a3537f6443236 |
| SHA256 | e40314be5dfa687b9362b79bb7cb1c727ab4721ec79fd6baf8b00d6a2b7ac6a1 |
| SHA512 | d519e3d0764d4cf41c7866ae41357cfb563a07353b42c7d5df85fd48b5842394ad1f6ba133c20d15dc9df49d0c182c65ef2193b7015480e47f1654a4253c7fb8 |
C:\Users\Admin\AppData\Local\Temp\ZEYwYwEY.bat
| MD5 | 43646db6674ac46db95ead4996f165db |
| SHA1 | a5a55b1ae4d24e5ee18c570aa2cf3e2477fd3983 |
| SHA256 | ca94f2688f177ca3941b14e208cf11e7676a41fc13f3fb923c6df2f9afe70abf |
| SHA512 | 7f19757ecc3a91051bbd8ad7ed72c795ce3844f40b92a2b867bdda43a245b7d7dcd63610f8d356ffbbec9383fc7b7d6d0b4fbdd89865e4821228787896a50d8c |
C:\Users\Admin\AppData\Local\Temp\Gsco.exe
| MD5 | 81bcdd224c90201c5429e26480ea9c2d |
| SHA1 | 5a36e2a318a1b46b2e30ab933b45c40b4d5473c2 |
| SHA256 | b380a82021cd1a4ec111207b6a7a09ccccb2d51d91ac5c0a1abc11bbf21c0368 |
| SHA512 | bc00fe648c43d96d0ac9e36327a613d73940d6771242d5e761958958c696956b88174e4e1ced13890f4cd270ad40c9d0ab599a464d68d4417acb40b4feddf37b |
C:\Users\Admin\AppData\Local\Temp\gwEq.exe
| MD5 | a012d67fa80abcb2f59dbbafba82228b |
| SHA1 | 5da43c893d167caf490674f118b1649dd4a59363 |
| SHA256 | a95fc3cc3a11397492561996481b7974dcd9905048167bef8b9ee9a675778d59 |
| SHA512 | 722a339faf2e8522b46671088fb4e178dd5e84d5101866ef93d6be11e04ac5375c7a847ad406e1170b8832b21373c0f8e937f212bce6f7bb19acdc46d9c07de9 |
C:\Users\Admin\AppData\Local\Temp\UMgQ.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
C:\Users\Admin\AppData\Local\Temp\SAgo.exe
| MD5 | 0594e3c195b95bd3ab6427ee92be3874 |
| SHA1 | 5a93524a7b32506510f9e946be256b3d23376f31 |
| SHA256 | a5b985864099178fac631f6e53baa73c19d9fdf2a65eabf3bee34a1fe3f08629 |
| SHA512 | fbcb3e4eeb9160b86ac9c21774cea11821775870cee4371997c94451d979c1a653bb7d3a8bc3014698119537ea52cdd9bbecbb1c03a60dfe0e8d6c8fa312b8c2 |
C:\Users\Admin\AppData\Local\Temp\goQe.exe
| MD5 | c5e8210f3bf731ee593a10bdd9cc00a6 |
| SHA1 | a4c7e46dbbee9af0eb4a9d0a6e5e2144cce9c31b |
| SHA256 | 4bc13801e7bf8c2f7e6b5fe746b0a77aefe37ea4f866c47eafd85a4a16c7eb44 |
| SHA512 | ada38297c77aee43a7a56a8e3fc4de8f50b8be677641050fbd892104ebd62c3e2874a219d4bb8b0fa19bb10d48ff766762ad528a9d373a1bc70dc20f02fc0f50 |
C:\Users\Admin\AppData\Local\Temp\teIkIYMQ.bat
| MD5 | 893fc9ad26eebc075fb09af14c1cd1bd |
| SHA1 | 9fea952ba355eee99c7bf52edf4d9d982d6753ab |
| SHA256 | 3a0d23ad74b8a563161084bfd8c44b54da297cf1232b67c77d9adddda33f414c |
| SHA512 | 5716833557137fcd0fc48012defe28424180e062ee2ec7d42f0948ad64e0ea863ee71219d15902488d00e1bf8270e1949449c8761841ef03b41a9269d7328baf |
C:\Users\Admin\AppData\Local\Temp\Kggc.exe
| MD5 | 26959d2cc4d10d15b324451192753bb1 |
| SHA1 | 9fca8818a966e600d3fbe8d535d4e85691da2814 |
| SHA256 | b1bfa186aa88069300aaed730f9075bbfb6a605530eb00c1230c27220e759ba9 |
| SHA512 | 37241144e1c4c605c31c9fc23ce06c6c6dfe4040226d17ecf459f1a4f1d591367baa6ea2cab35f3f3e8b510668e23e8a523316cf9d18833cce7a2f5004d50694 |
C:\Users\Admin\AppData\Local\Temp\McQU.exe
| MD5 | 9265c9b3a7897ac0887abbdb08418d97 |
| SHA1 | d6f6440a4c528c3697b1391a39bc900b6bb5278b |
| SHA256 | 616367e0b1bbf79f7f8b559f802af9a1a49efc64a5b8d9e72af104d9eed1eef3 |
| SHA512 | e7c40d9b62360e87111d75f98f11479d18df50a7dbd1f58fe5fcc348829295dac66eb99921cde4a5e250b4a35e3378143d7200250a97cd8a845ade1c97b4eb4a |
C:\Users\Admin\AppData\Local\Temp\ccgG.exe
| MD5 | bfc6d7474840a6ddecc29bf76da07192 |
| SHA1 | d7771c95b610726f93214df67d0d3b4585a6a506 |
| SHA256 | 4dc5021d658d49751f34002a17a9fc60903c0d6f47829d9822d10591473b7e55 |
| SHA512 | 192be9ab6af608c3854e82425f67ce124778c0849e10dea5ef9982879c2a45b7f1d87d55b7fa3dcc8691ec22b5c2608e58da8247c3c69b20e3289bdb8fda829d |
C:\Users\Admin\AppData\Local\Temp\IgkK.exe
| MD5 | 4903827a222c1e6d8a506223612226b8 |
| SHA1 | 49fb0e87f1500355ea1b173be328b7c0f4e2973f |
| SHA256 | c0f1434e8df71edf7d30eb20ce3a1f2f3c1b4a1cbee6400bea4a50b8c4f389ed |
| SHA512 | 3dbee9297b4a462e81c27ef4938f7fb536aff39cf65e5eb11ea56d7f850205a88749a5accf5dff177b508ae5567227902a40cb27f4dd30c56d9efb2040f33432 |
C:\Users\Admin\AppData\Local\Temp\FUgUscUw.bat
| MD5 | e4b1390b1efc51e98ba5986737650943 |
| SHA1 | a4493ddf8bad70ae1b65568a966cc863b77c79dc |
| SHA256 | 650941b0c1f56680dd8c0fe9efa6f7ec03f7c8f82ae544aaa32b366c507e47c6 |
| SHA512 | bdd0d4fb580e80c902ee6c9f89c4c7558c35d0db020cdab019efec325dc7bd4b21d469f2d9c5b13d29ce7c44961ed5b89fc1b49e85ae2c6c68eb720ba3206938 |
C:\Users\Admin\AppData\Local\Temp\aYkg.exe
| MD5 | 6789096864a55c8bd1ea93f01e16ea44 |
| SHA1 | 3b4afa06f903d004b5bd687bb136d3d3ad19a545 |
| SHA256 | e0aeea0571babe8ec82ac3ff78418e7805102bd2c7d3c3e9e9c97a3cf227115f |
| SHA512 | 64f03b675630cddaa9570b5f701abcf1bb617f49d663881d97267ca02d093258d567f34564c1fca1ba5446c48ac61e8c3d523c1ee70f8bb407bb199dd1974e00 |
C:\Users\Admin\AppData\Local\Temp\YEUo.exe
| MD5 | 3dfe4284859979b8c2f9d26c15d16414 |
| SHA1 | f69d43a67346fec5b4afb8ce6ea5a34704441d36 |
| SHA256 | b8103d68efd87f5b4dc0f38f9372bf0650c3fb7204ded27402cd5e881a7e6ae8 |
| SHA512 | bb285cbdcbbe28bfc4c91c20b212f6ab79821112a8839753bbeffb39af4b3012008869dd2c377594cc2e9227b5d28d4f93abfe038565b8f67e0f6d178d6ecb77 |
C:\Users\Admin\AppData\Local\Temp\aoAG.exe
| MD5 | 32a544d82c8eb9a3b092eb63495bd2c7 |
| SHA1 | 878305021ed96d3c878e133ac5bd1b2271df8459 |
| SHA256 | 6ed363b0edea746409589e38e3a328329375c60e64cfb066b4ba98c45b93ebed |
| SHA512 | dd8b12397299aa46c572c05dbaf0d3bd3bb8a40cfa882baec55fcb201b06740ee3202da6a540d472a1ee5668dd9b36991ab330dc0727efc5dff104fdf3e1e7f8 |
C:\Users\Admin\AppData\Local\Temp\WYMAEoko.bat
| MD5 | 65acc421697e07d406d1565c1e1f0fd1 |
| SHA1 | 9078be499170646bcc85cd6911a82c3ab11b8823 |
| SHA256 | b81937beb1534c65db594d7b691496d7b11bf90acd855d75566360bb53c31e37 |
| SHA512 | 4206e0fc106ebc4f40e0ef2a94d656afb2720c1d0354c959d9855afcdceac0fe42c0f2a557c40d032a67e7ea9b37ec75a25ffdc41eda02bd0e01b9a63c93d988 |
C:\Users\Admin\AppData\Local\Temp\WUAe.exe
| MD5 | 1077c537e94f7ff83d2210e0e4e8cd0f |
| SHA1 | ee68b56ee7d282eea15dd0615e25659a4b804845 |
| SHA256 | 7cca6234a2bc18151e1cdde94bc619e134135e9635ebdca98afc53cec5c9f952 |
| SHA512 | 216df5f28590ef5eac211d3e29def23473d22a62a4de313d7176d72f6a95dfd48ae8cccfb070125b99aa0d35b1de2ce0a44c422b40e4c267b2812e292d0e71d5 |
C:\Users\Admin\AppData\Local\Temp\Wgko.exe
| MD5 | 4ca6568f0cf5642925d66c091ae85887 |
| SHA1 | d7d04bb28378f6f0dd87a09e94d485d2d4261483 |
| SHA256 | db44302f73a35dd70979e026fb2e6a6cd5d99ce55255d2f1049df25989a3e6ac |
| SHA512 | 95b83e9745adaa60a9c67a2df9b578deb5327f81accfd33a76f47bc4d1a3d26b2ab00865c3ff80057287f80962b80e749d79cb684cd74f68823a7c41972989d4 |
C:\Users\Admin\AppData\Local\Temp\uYIMoMYs.bat
| MD5 | 71dbc63e3829e16b0e38bc1318a3c6f0 |
| SHA1 | f3feebf6437a4fb246529d124b0cc264b62a447f |
| SHA256 | 04af1ded944e6b50813d00233f6f565c697bd31f027d941990d54997a4c6f15e |
| SHA512 | 22b0e4e342c848279eab4a550153f27f17dbec7fb1229f0415b6710c22abd118e4a545d8248b1e29a1b9cca584efd5efeeb0c15b8af698f1d6e3d356f994a51c |
C:\Users\Admin\AppData\Local\Temp\Kwwo.exe
| MD5 | 01088d0cea56d28acbb077c329a7d85f |
| SHA1 | 2d6ea48bd8bb3be69320ff1baabb404fa1dc6617 |
| SHA256 | 9adf4eb3c069061f669262db5c250395aa7932133c6f51e74d30666a14387b46 |
| SHA512 | be69dd18c62d461e2884c5ea09df18906412586b8c827f49f3ef1d190685c52fd83c7aed5af31fbe41c12d89b0a0f5c8a61b6a95df87e830b8b85680916a436a |
C:\Users\Admin\AppData\Local\Temp\GEQs.exe
| MD5 | f7fe05d8d02b641e3b1d5a12061affd9 |
| SHA1 | 6b28bc7e37a17e8efea21a3d6e2efb26be39ca99 |
| SHA256 | 90f60297df71030ac2b97da2e22b1b6fc8be7b7c148bf642ed0c05dc230ef0b2 |
| SHA512 | b39d39618802ed2abad43e03b1f8c69c67c1751e6845e27d6f545a8ea19355f7ea52678705afe0c5dd18a42e651cef74ee49a2b89df10e65c2dab341a61b70e0 |
C:\Users\Admin\AppData\Local\Temp\YIMgUUwQ.bat
| MD5 | ad3bc7b4fae8162eb5e8eaef760b566c |
| SHA1 | a7a055c487575f8ed865bc6ea04c1b86c13d06e2 |
| SHA256 | 402d97f1abd2ba4405dc417ffc812150908d4a150a129842b30530c6967f0436 |
| SHA512 | 8086693c19959540fef60f7610fd64f997e957973fc82daed5c94fe5b2d3b5dc3bccc62e897627082950203a8f4dca2e09021fb8b3f9c03213301286916513ca |
C:\Users\Admin\AppData\Local\Temp\CkAM.exe
| MD5 | ce0494df1825d10842aa9c6257a66e3c |
| SHA1 | 301e375fd86599382327bee8271896bca4b55a5d |
| SHA256 | ef9163cd4d83684b8877e34948d5b7d65a517c1c48c77d0c697da609a7fb6035 |
| SHA512 | aeaeb84d876f65bba87e4bb78d7c8694872b2397ee88535a926d1ee297e39d18560f33dce788da517ed697a7a02ffdf88fcb996bb6bf454127dd654dd568adb4 |
C:\Users\Admin\AppData\Local\Temp\wcYK.exe
| MD5 | 20d8472586b542c46a57ce2869322804 |
| SHA1 | 90eb947232aba0386724d6482bf11e75e00d9fa6 |
| SHA256 | 8785b3afc6c8d616252c8bbfaa88341ab7d140d731d85f80af91fb5e432a5624 |
| SHA512 | 76f7bf2a4a7f2a195f4ba15e32c53bfc1223e15fd5b1ff36148fc24b6893ff42a497fbb923490c079ee18127968b73f47fac6ba3a26b541ef7861678c96cc319 |
C:\Users\Admin\AppData\Local\Temp\gYEY.exe
| MD5 | eb4bdf2f6f28c3c8a57234cc81c0a51c |
| SHA1 | 77e6ad036ebbcfbbe75814e6a7dcd18402ebe504 |
| SHA256 | 08a39fdf64fa97be57666496d5a40d897780f950f60756c53f926a5fb4e3c7dd |
| SHA512 | c84f8318446e936c3898851d476ad4948c59701d49c9674d75fc327a52808ed9610e8143b1a04b7d16af82050fd771d45265a9b47f9288d4e0ee3bc0b20f0ccd |
C:\Users\Admin\AppData\Local\Temp\EsMU.exe
| MD5 | 78f7871126a0f71c810b81a83c7bacc7 |
| SHA1 | a91247349d455424b0ad4b87e7b2404c86b62923 |
| SHA256 | 5ad8f0e85b47bc74f385b39c6349704554d697d05cabbb5426866624a8e4965a |
| SHA512 | 22ecf3466d707cc9287c588768774ef242813d1d82229783477640b5d3155ca0031b2f2500dcba7764c2ea1ec7d4a5adf23d7e6fa1533c6bc70eedb994e48118 |
C:\Users\Admin\AppData\Local\Temp\KQsEgEgM.bat
| MD5 | 55987bae2842a879bdde92b0a8881a6f |
| SHA1 | ebc4b7c167eca9a8941b75875790b710b0e6eb9f |
| SHA256 | 657701450cd2dca645c09cc8a53a9344fcd558a34cf32fe161029bf7e62b1fbe |
| SHA512 | 7811c65c65b70de9130d2366563a180647c69d750c277bd6634b9b0bb87fc5bd24cafa02347fe461342d75330f63eb3b6912e9c974ea24a012fa5c985a64d41c |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe
| MD5 | c80c73731a76f094f5d7a57a8bb65641 |
| SHA1 | fe9b6db61f63cf727c8b69223d02ea9d720e326b |
| SHA256 | cca7a9b9fe57f9f9a5653fe0644895069bc94d67cf04c3f086213a349f819c15 |
| SHA512 | 4af99b2e04dc861f6de63e06b60ff1d584b0302afab959e19a4a215164134f57152ae0f99d84c4c7798d4e87aca92361ad4bf3a77b4ddaf89716f9a3697f2c24 |
C:\Users\Admin\AppData\Local\Temp\oYMy.exe
| MD5 | 1f36b33d181c2a79d0e33a0618a27b4d |
| SHA1 | 185560ab2af7fb4ae37ccb1c0fedd40d8a923086 |
| SHA256 | 8330f4e21c98974556b5dd20d2d3608a3e79b5b153bd2b7b4dc5d402dc5b0b7d |
| SHA512 | bbcb1231aa88fad239a24ebbd1bdb581f0ccaa907ffb0c669cd870ca4c64af72f8952d23a38e2f2ba36a9ecb3ac13efb2ba562803a76a2897f43c6c31ca084b2 |
C:\Users\Admin\AppData\Local\Temp\qMoo.exe
| MD5 | f9444b63070084a90d43cd04637e8f2f |
| SHA1 | e212b9c8d1f0a3e33b253b061fd20a5607d1b5b7 |
| SHA256 | a8f53f2fe51842714c46da816217ce00ef3b64d02a77366ce725914a907e6da6 |
| SHA512 | dcfae0cbf52fae056d3f91bac998f838c7b7a2ab6537f76fcdc7a0a96129ee61126dee1d73d5851b4cba8ac5cc541afeff7c7be521d4017b2a638248e4478937 |
C:\Users\Admin\AppData\Local\Temp\LmUYoQog.bat
| MD5 | fae4d384e7e54f4eb90e04c00e5bfab4 |
| SHA1 | 75e290b86db9b76b1136883f9a902ac7c40bbbec |
| SHA256 | 6b0b0bcdeada97ff4f210f7cfa15ff0f7745a5db3af64020668ecdb6a7e0f6d7 |
| SHA512 | d932651ab47d12260f80834d75c7c3036b9d24199bdb5b1968bceca9bc3ef31f0ba20f322f5ebb979439457491d073b6ed554e45676b9bb755242ac0e3d2c4c9 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe
| MD5 | f9e0afdb3878a00ef8660c701f1e00ec |
| SHA1 | c3a97ac4e79f66f36c520b8e5a3fc288260b18cf |
| SHA256 | c36733d4d0d18389c7960786e81266f4b9b3e7ae5b50392c52a2fdb0d8be4942 |
| SHA512 | b2553994c4eb3928a2ce614ddb0b21f905655e4c33b3fcc617d7cf19aef76721d3eae01670ff555bd1e0a0c30c1575b11cd48086fa269f6090b0c5969acd46a5 |
C:\Users\Admin\AppData\Local\Temp\SEsm.exe
| MD5 | 62388df8c18bedfe4793c1bcc9118e62 |
| SHA1 | 18f5b248541c221d9ea88c404acb9020d216c8dc |
| SHA256 | 2e53b3d57ebcb7b9416c127c21a3d2df8e53779f89453da7538f5f20865f77a8 |
| SHA512 | 8648e2dff5962d153e3c8bc2e59d596d4b853fb2e4de646a082fc254115da53ab06087952498c982b536c45b13b18ed7ce65ec7f53d381aa786a2796c8f4eba5 |
C:\Users\Admin\AppData\Local\Temp\aAkk.exe
| MD5 | 5e4a75868802ee9fd49f681ded6ae6bb |
| SHA1 | 06380d64f0d632d3cb51ce066dd33fafbb6d5744 |
| SHA256 | 2f30385bbaa9a51866bd98b7a30632ca62c882c0d2e07347452d4fff57179e76 |
| SHA512 | f279e96e0858ec699e7ce1b02f838007ac2a7398cea46c262852e2395e8a9659b5947f089ded3c81b82ea31cb2f8c23a37827563012f470ea94255ef46db5249 |
C:\Users\Admin\AppData\Local\Temp\MEYw.exe
| MD5 | 390cb6aa36d6a2ec42690a603297992a |
| SHA1 | 7b9f330d2b5b5055ff24a2c29db1db0fd3fba5ab |
| SHA256 | 1ee4f424bfd350f6cef50aa7a60663904c24c3292e677a64fdd7cec95850095f |
| SHA512 | 7d58e91cee679ffec413cf171731784f4972a88a064b1238c1d4f6e1eba63f1735d5401d60a1bc4e37c8574481b021019f3e6859cdc5943d966385ec67436575 |
C:\Users\Admin\AppData\Local\Temp\fSkAEYMc.bat
| MD5 | d4ff3a49f9ee22ddc15df76b2f738c87 |
| SHA1 | 6606228335a7651d59783087314e4e3b1830aa7b |
| SHA256 | f1d6253df040cdc6d65c39ff2ad17d0feadb51c6f63e205f78d119a5f3428af9 |
| SHA512 | ec9d6b03e51129eeddbce99168e77dc9217687add09b4d7e90d5d343a03b7b501ac9f27b1195f8db6146d236ec2ac3ad164a3eb5eed7093eb827f59cd1a7a35f |
C:\Users\Admin\AppData\Local\Temp\UMso.exe
| MD5 | 4ca79424aa5ec4896a922f98dfae17c5 |
| SHA1 | 53db050a85bf4df5a31ceaf3e7a622728e5a5932 |
| SHA256 | 2aef81cc3445bf6881727a5f2dcb36fa5bd5c31d5c4a919e47b5be8a27d19550 |
| SHA512 | 514779685d3d2689b38204a585abafac4a3f1f3cc2f5afb0e587af9ceea70e557d59952c870734be93e71ed0dbf2df9c84e16abc1ebb8c26e6cf2bb04dd380c2 |
C:\Users\Admin\AppData\Local\Temp\mIUm.exe
| MD5 | b83a4c2b0b55d9335246569d3c4bd40c |
| SHA1 | 3d8d8f3977f0c392a4b55dcb85fa80a14c6036c3 |
| SHA256 | 18eb168d454209250596774fd228ffacd0895b9a97ba077d2d3e8ac043293375 |
| SHA512 | 20d6aaeafa1e8c3c3733cd13fe5bfb0327d0c14c955849df115ea453360bff4dbdf5d9b0f9b621e5f8c7edf120531eede6426a3832f037b082fa9a3dc3fdabf0 |
C:\Users\Admin\AppData\Local\Temp\QUEW.exe
| MD5 | c5fe6a5d8cce9683de4692032bd787d8 |
| SHA1 | e05dc3fcc6ac842b5253e036aaae7cbb675fbe32 |
| SHA256 | 3fe15278c859451a061c2713247223400d99a59a19bbc71b8af5ae95331b18a4 |
| SHA512 | d931eccf2fca5b50302dc28c42e9fd9e99e663ab53524d9a5efedb81c696ac58947107d49f32373c82e0709cd33aaabecf31190188de089c7d2259561ae4fba7 |
C:\Users\Admin\AppData\Local\Temp\ZsgIcYYY.bat
| MD5 | 0b841a00b564b0bd7ffff402145cd672 |
| SHA1 | c26c294225eb53f1833697a936417a543eae1415 |
| SHA256 | 7affb5234006058d13bc903a6c29839babfbcd14824b736f06a1421ca6892788 |
| SHA512 | cf153f5037a85111aa8d57ba55e5556a373750d661079d9cd4e00807fc164f03041b9f67aa0ed7281c0fcb77a53d1c338875a9b8dd4a64b4e963b880679fa247 |
C:\Users\Admin\AppData\Local\Temp\YIYQ.exe
| MD5 | d03dd06497f253b386441f5854ae31b1 |
| SHA1 | c493a2d99e0b35f524169e5f4c6db553ea784803 |
| SHA256 | 50b7305e669d2177eb87406625114bfed2c234dd256b1d8ced0c91f4b91b3762 |
| SHA512 | 57d6c8bbadcfe37f8dd5446583d026f5b0313cbcee5ae5673b696141e143476f1cc142f5f9af8b969877a361154d30009b8f6aa5c550fd4e50c8c48019eaad5b |
C:\Users\Admin\AppData\Local\Temp\mscg.exe
| MD5 | ffbf7159ed41fcf35a600d89f7ed70a5 |
| SHA1 | f9bf24cc3b07d7d5e6f6fd83db11c62427a36f38 |
| SHA256 | 5196593813bd0b9a065ad0fbf496721c566397ad8f9930cffc785608ab51392e |
| SHA512 | 3d77935a0353f593bacc69385f101d869a27d98c69bee99f505a1eb456c351ee56589be1e3702bd04d226d67237cef4b46a03880d74b6effd9caf53be52a2453 |
C:\Users\Admin\AppData\Local\Temp\CQAy.exe
| MD5 | e9a17f17d948f671c1c4a6a38ca65d2b |
| SHA1 | 76611f024e04790aa8f8088624b4cedcc7a2ad77 |
| SHA256 | 4ae93a0e223eb4b7f30a481ff3998f0787285d28c3b81f9343888ce07c4c681d |
| SHA512 | 2393c97649398c3b9242fa8f2ac49f6d1366c4b8c4e4844b74842d55c35fafc5fd4143f56dd2508073f8932d5b4eb433a7f23b54d9cb32fa57d22bf41a95afc8 |
C:\Users\Admin\AppData\Local\Temp\tyYUgAgM.bat
| MD5 | db819f2efc2ef69f70970ef59621cba3 |
| SHA1 | 6874f10ae9aeb38f45bc8011431d5b0396417bae |
| SHA256 | 3251a3a7235bef046d3feaa148909b1cfbda5e3835e4b625a09f6e7a06bd4114 |
| SHA512 | d3a5be39d9bcc1cacb40613a4354ea9a5e3506e32ee8ab8873ad20217bf79fdfd990e63a10558ea4d97b8f07dd937c740e7a532cc0249e6ce3314d6ddad365da |
C:\Users\Admin\AppData\Local\Temp\ucoM.exe
| MD5 | d45dc42c9e8602b5c8fc090543a9df58 |
| SHA1 | f4d6dc13e2fa6582e71d735d6b582dd6998933d2 |
| SHA256 | 091da60b9541635817dab2d9d046f499dcbf7db9597fef7734b82f981d05e642 |
| SHA512 | 7dee133bf9658686ecc7df542dc0c8c0f0a72106ded01f979b7e4f0a5f65f447dad3bc64687075a806e4c47857160612941f15567a32f195007fd1048ba5ad00 |
C:\Users\Admin\AppData\Local\Temp\oUgm.exe
| MD5 | 3555c8631d106918dce0dbf92c77290e |
| SHA1 | 009cca5ed7653a61be28b4857a154c24e621e7ef |
| SHA256 | 167e71e42a4006fb5eb3aad3bdef0d369ef5df2dfcc49419e186dbced991cff1 |
| SHA512 | af613ae7a197068bff89371223f87fc8401d1792612a34c8645a169bb7b4f2d660ee399aefe314f59bb14cac6d8c10968642b660a2b9d4604c9738364a1e5fe9 |
C:\Users\Admin\AppData\Local\Temp\mIEC.exe
| MD5 | da63c92599664fde2eea3cd95358026e |
| SHA1 | 32842c72d7f22cd50c35a32a5ac8936ef0be1580 |
| SHA256 | d3c1d81eef90c13178094213497ac478571d7c73f7cad391eac56af9401fc87f |
| SHA512 | bb5125925f3d512cf148e43a1f7c8078ec2122ce03559328d479fa9994a8260d3fc5a7ba67ea39d505d5bdeb6fde627fb3ce561bf40ce62086e4c97e344b91d1 |
C:\Users\Admin\AppData\Local\Temp\mIgq.exe
| MD5 | 65eb0df808adce77308b589bb0fd4f61 |
| SHA1 | c6cc81aa14c372696d91e921fb10453508568f36 |
| SHA256 | d0a6c9cf483082b3290a09b22f0970e35dd8653956b213e3b70478897f2b90fa |
| SHA512 | 5b9774379774607a70af8d12e009680e0555a44b3f39b39540402fa9e7825b1e74f350a8ed832d6f7ef414ab4798ccc02efb16ff1752e9d64d22e70341a184ac |
C:\Users\Admin\AppData\Local\Temp\iwca.exe
| MD5 | dc018ae42ff8941d362b5aa58e396aca |
| SHA1 | 0918d012ab85b00059d930019a5308779c59e894 |
| SHA256 | d4a7b7c1c2e61400f36f3d60380e941e74fb0585967fbab5b9d91b02bd79bd25 |
| SHA512 | c64f495757af1109ea45e849eae65f6669a4f3733d13a3a96ef61fc25c56c2e6396f22ab1d8fa28c900f289b4b4b701776086b00dcf94b2e0266330ab66905ee |
C:\Users\Admin\AppData\Local\Temp\hsIUocMI.bat
| MD5 | 059a66780b482835c87d15aa8740b105 |
| SHA1 | a38ed6eac9a90ac775f9c62d4f1f545020df282e |
| SHA256 | ad6e51126c7d7041823af9349f0592b0b3b202a26a37ad4db731a4cf260f254b |
| SHA512 | 589fa1133792044368911746440f510fd4243453e255d6a1f3a5993e8a7703eea846a48505ebc1292275240cb71a175f8a7141272c1d98ced8b3b44399b720ce |
C:\Users\Admin\AppData\Local\Temp\SkMI.exe
| MD5 | 4e81787128833d8d94dd5e0c642bd3fa |
| SHA1 | e783f82c55ac3ef0a092b26402892a5bbe1c8987 |
| SHA256 | 8e144f9cde93983979057d6afff89c1392b15628397fe5a34fa76465c442d94c |
| SHA512 | dd57eb793fe8bc286208c25f45f951d9c6d4971f6452d01555b926ac06cb50db0e4c53e98a15c59ca9757989fed5a6d4147a364ad37d417fcd687650da6a52fb |
C:\Users\Admin\AppData\Local\Temp\eMoI.exe
| MD5 | 88b76f0862c34fbc301954ca5c2c7ae2 |
| SHA1 | 5abd9f7e1d0be60a33c50085e85f3ab9c1db9dd6 |
| SHA256 | 849b6b94544c34374c217aceefad5bc197c908c0df6946ad81f94e6f7348d0f3 |
| SHA512 | 707cb06e61cf51d8caa331751fb6ba1292edf25303b2b6c616c25c3ebdffafc939deb862483870055f8f79d87996e086df2f5ac5ddb5db487025a0e92c71bd8a |
C:\Users\Admin\AppData\Local\Temp\gAkg.exe
| MD5 | 0f809545b1164c7d7ecdc32e95834154 |
| SHA1 | 9d916770ab60a01fc572f4348267584faa6b5c9c |
| SHA256 | cf68fc323c76dfac4c622c14b3a83074c49a03f2b7d51b878fbc77b6c4e85420 |
| SHA512 | ace2f6d4d3fd356805225b5010d58111147a1991022191d58cc53bef77034adf691086e4baae70892453bca900231a6cedee87b93d3b19e3ffc2edd6a9691ab6 |
C:\Users\Admin\AppData\Local\Temp\qoUoQQAk.bat
| MD5 | fa2893f657c82803814a8d3c1f52725d |
| SHA1 | 3e3bcf2f9ebd6e3e1573cd8f3973149b8f09dd3c |
| SHA256 | f5c9a5b2b058ab8b4d362356006017d949b5b1eb62ebca73e8c2274b82827f25 |
| SHA512 | 7614b41bad859b019ac1ba1054d34dfe319b2ad9066b7294f83ef8767b865f9ec0247e55eefa6ec988502ad32fee7d14b0307e049500d8a9005f2f29cb255b9c |
C:\Users\Admin\AppData\Local\Temp\yEke.exe
| MD5 | 1b366d7e4c091fc5aaadc7a8574ee236 |
| SHA1 | a272d72ac74ad99f29ebe287ba79b2f14b09a011 |
| SHA256 | b84f9f8be3f737c871b2d6645beb031521e1a888cc594367fe9c85c01943f2d9 |
| SHA512 | e2d37d054e5d3d3d1dd1ace9c9f08911a9bf82fa5c0660364f58451504b75acf7fc5e5a2cf172a24cf71078a2e5c052aca739990678bac96ac8c8420c8f73071 |
C:\Users\Admin\AppData\Local\Temp\QwIc.exe
| MD5 | 24bc4ae617990ab64d3c20452e99075c |
| SHA1 | e03da718718f0aaf17e3896a34ad32bc6fe8d890 |
| SHA256 | a17a75ca1248092c15b21f3956e5d134b8deea86485dc50fd98704405e18e035 |
| SHA512 | 486d315bffdf612a59665121057b336c67c3b2833b58f297b58cda3817727b71c492b1485c3515462408e2efa9bfb07c9b12178103e50300b5ca9aa1db8af4ff |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
| MD5 | 186a2dc07bd2da1960d8ae969cf6b2e8 |
| SHA1 | 973943eb994f2192a55e421dde20929fec159e39 |
| SHA256 | 2845d13d87ceda462a836df03b523d12edc2712020240f2297a719e4849cc7f9 |
| SHA512 | f57240d54c25f86a55738e96ed68051d5517bfb2209f25df807b2c39b76cef49f474ed8848adfd0a1ea3648c1a73638ba24b580d6c07d13c826a6a53dcf7b5e6 |
C:\Users\Admin\AppData\Local\Temp\qswQEooA.bat
| MD5 | 6f98cd47ac336cb1d99e200c702afc19 |
| SHA1 | 2707a972c5ecda15be15a19669cae09083faf68a |
| SHA256 | 001cc0b3d8ccacf34832f1a1638aff755ff1e5c5acfc1612efe29502c046643d |
| SHA512 | 57faa95c646f7677ab96d0c9e58bb6dc9f76fd51df786a8ca275de81b240967a5cebe405b311ff1fd28dc7b3156676fc17d5fcfb7d6cbf01ca5e534fd5c94295 |
C:\Users\Admin\AppData\Local\Temp\sscW.exe
| MD5 | 083e567b0b16d02d40b5b079f11971dc |
| SHA1 | c214d360e6a6f34e171d192e0e96c41474bd8053 |
| SHA256 | 3169f105b28adfe8bc1507d070aa7f48455c2a7a28b3f5f77bec8c4b55e7064e |
| SHA512 | dfb7698eb6f5e1741c737bf65b7c889b21a936239621a2f5a3050e57283e251c4443c679427397121c4612669e0cce9da1b88e8cc53b3b27d4dafbc8c57f5ff8 |
C:\Users\Admin\AppData\Local\Temp\YcYe.exe
| MD5 | 03c1da7691f4c1dfba959ff0a7e365d3 |
| SHA1 | 7b937bb0c9ab4dbb14ce9152a8334c8f79e34e82 |
| SHA256 | 7f9acb40f3b5c34fc1f453a06fcb1fa961bbbfbd3d9523450a3b6b8a433dd7e8 |
| SHA512 | a0920553d707a720556f2dbde1420e5f19833095668f5f38b518d1b0d17b9163008bbb248f5738a4eeb71a3271759cae622d78b3eea06fd718c39041ce2faa14 |
C:\Users\Admin\AppData\Local\Temp\sIQY.exe
| MD5 | 6656e50b71766e375135418ffa3077c2 |
| SHA1 | 441ef9f0c33bfdfc1c904927501e6ab11fec6c38 |
| SHA256 | 6ed91011a9cf67b3fd82d5f1e540c4ab5cb8c3c473f20518423cca4e5ec26ac4 |
| SHA512 | dec472a4f2ee8eb8ef39e19846d4d27121c84e0e2ef2c3e3c815dd94d6b54181ef561e1bb831c215179fb2b9149e4ae5135928b61df1d09223ff8580661e8497 |
C:\Users\Admin\AppData\Local\Temp\wQQAUIog.bat
| MD5 | bb3ef62134850aa4bece3950f0f65558 |
| SHA1 | c8ea64f5c0a0776b8416a93209f47b091ef8534a |
| SHA256 | 2f620ab09b224e12d38118ae32c92e14b64b002560be14848802357cd6fb42f3 |
| SHA512 | e8a7f156b1c1b4ae681f5c2dad46f39c77bc76084b888df16b3d26d69265773fb52130650ba9ca681a24935f6de55c2e4f9d8d07f477aedad6cebefbbcd9eaf9 |
C:\Users\Admin\AppData\Local\Temp\zwYowgYw.bat
| MD5 | d0aaf30284b931794b13a27da0fd5ab0 |
| SHA1 | 6697f0d2041337832a5449faf395bf06bf3ead6b |
| SHA256 | 0f4a12492dbb23979dc32beacf5f0b1778eff62fe88ea099be5c72af6ff5fcc6 |
| SHA512 | 0357255e6b59cda0985726c8fff10ac7467a9972969cc5c44938417b04002d46f51acc353e763b9fde06231319cf4943ab4592b7aa107a548dd992e43d9c7cfe |
C:\Users\Admin\AppData\Local\Temp\eMcO.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\SYEu.exe
| MD5 | 38d8f6d47546b60d9b85d1db2987dd06 |
| SHA1 | fb15a6afd4ff1ddfe79285463c7f4486bf62fe96 |
| SHA256 | 3959f8d46dda3a6ebc0087b5ad9ae8c72e3f14419a7158b15ce27c785dead115 |
| SHA512 | 7d94a7e18c466fdde49c70eb80fec6a72aa6d67a662e51793f0ea85048fd8f87e2cc511667100d3cc22a3da96ad261986de64ba252a2ddc006312b35558028e0 |
C:\Users\Admin\AppData\Local\Temp\GQYW.exe
| MD5 | c7665658411a2b44230e27028e84d58b |
| SHA1 | 9076639d5d79ad6c3f890db2b55aa6860cd037f7 |
| SHA256 | e055e0c9eceda378c0df9e0985ebebc7a9a71a26a95e5a392d7c14ccfcc5091e |
| SHA512 | ac6bc53a29d4cd5b4f5b0efe88efd60d0b450014a5bf9db3a8683f3287105359ec2f6a0cb7164dfca523f6319956015e9e6ceeba73e7ee756f5b0bb72449955b |
C:\Users\Admin\AppData\Local\Temp\KYIK.exe
| MD5 | 1943cb27b7ef8a1cf4abe69e5d379da4 |
| SHA1 | 6813fb0584b31d0758a90944aa92f9d3d88f5eaa |
| SHA256 | 1c7af595b0feaf15a46ef87577900bd0103a0310c4f22082d02922a97b1b5bac |
| SHA512 | 933685a2a4a6151db6cc495a36526932bf073af7712f39922b616dba370d7b2afffb5f939146c4948be7912fd374e5ad76372d1a28c414f2e3e1d089007c0bea |
C:\Users\Admin\AppData\Local\Temp\DMcgAscA.bat
| MD5 | ac084cebf3858d0516bae2810ba498a7 |
| SHA1 | dd9fb6b9f0eb3c650d103799c1b728a7eb0c178c |
| SHA256 | c77c0d5b7340adb6a09df4685cbcb418a9c1a1f3d88060ff84eab21433d38b8e |
| SHA512 | aa4a6039d77bc11c9febf7a02255ac7504ded2fac7ae7d1c7896d0d4ac0835f1fcd74db9acbb70a68a8f6b7a08d80b11e029f507610c4987b5d2d7b7ed8a6747 |
C:\Users\Admin\AppData\Local\Temp\WQwe.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\qoYY.exe
| MD5 | 9c6f9ab4e9c78107dca771f05aeadae5 |
| SHA1 | f8cd76a8932101f04554a2606d752fd3d09a3725 |
| SHA256 | 1c5b492e1adcd4613da1b2d0c2200275c852041bef975a023ff2360f4acb85d0 |
| SHA512 | b0c81264edc4ed31726462f41eb33ae8a4f8ff1b72528179770bb639786a68239f68a28183760ee79268513a1f0daea6a7a511ef1a389262a0b12277e818b451 |
C:\Users\Admin\AppData\Local\Temp\ykIC.exe
| MD5 | b340fed8ede0118362e7f46725341ebb |
| SHA1 | b91503613818666aa45404d149aa08ae20327d2c |
| SHA256 | 135e20b1dc5b4eb81d72bfc8c4535800bfdca7237a5f3913ee1bc0a1f35346ea |
| SHA512 | 16a9669e18273d02a75197972f158be5afc5db10eb4ea436841992b02e4c346c0eb9ecf5109e0aada791639dca4921f2d4526e48959dcbb9c90a9857f551983b |
C:\Users\Admin\AppData\Local\Temp\qkEK.exe
| MD5 | b9871512bead7d680e07ebc3d49569ca |
| SHA1 | d0b663cb35fe59180f6279eb518b013597e6559b |
| SHA256 | 0f922f826671f4d44f59a7dcbc731f78a47145c7c99af44d4e22abc8631e4e27 |
| SHA512 | ed32560a3672738eb6d7db386f40d2a665c93abf7a9789ab01b2ea49e9c4c9a0b95f8ec86c01b5d1055926912e49c96e8c342123ff52dd7c080a0d9b2a019ea5 |
C:\Users\Admin\AppData\Local\Temp\PmQoMkss.bat
| MD5 | dedc75e6562ace7eb9505aefc2a92649 |
| SHA1 | 5c727d8506a1c21d2dc8cf7f70a58d307262c11d |
| SHA256 | 805788af8b541596a6c3072783edf0f092a48c6950abc3fc66abaa65b0f3b2e2 |
| SHA512 | b93211d29381dc8bf5c7c5cfdd0c3a688297186be95b314708d72f921b8fc2fa4d8da87aeda3962ca77851d53cbdce9c5c7dd24d1d2285416a2e6676cda8ce81 |
C:\Users\Admin\AppData\Local\Temp\ykcu.exe
| MD5 | 7ae2322c3bba0d067e5c2f853405f5aa |
| SHA1 | 6d38c816b75acf893ef14a641d506684f0f2ea25 |
| SHA256 | e69443083cc5b7f88f2c785c3da7e416e52ff35c7b49280bc7ae26a934240245 |
| SHA512 | 482d8f30c02165fac9e14b780d08aae1992884be02de069dcc26b5ec65a030e16ac4b5828e415eabcb065a1f70e737ec0f1f5019eeffd52c0d84363ae4eefb12 |
C:\Users\Admin\AppData\Local\Temp\IgYc.exe
| MD5 | 8e14348ac787c4386fe6210063999b7f |
| SHA1 | c51733c29940344d3c48ae40b5f06e2dd2f202c5 |
| SHA256 | 36efcf40ff6f81eeb0837693045c416ac273f9733dad0166ac19b68e4dfe063b |
| SHA512 | 8c46afbba573996016e80626a6e6dcd2abd6186ac86df218e33b7d1bc656b6987366b556e22e1f98c5e71fb24aeeab32c2567c1c5602128d940924a9b6ee320d |
C:\Users\Admin\AppData\Local\Temp\kscI.exe
| MD5 | 90a5304ecc8b6a3dda2a6f2b634a24ce |
| SHA1 | 06c22cbd6c090d64f1c0da2c89b888ec0fd85275 |
| SHA256 | 5987f296cb537a69ff72c137084de738ef684ddd10f43a459b6bcbf3459a22fd |
| SHA512 | 95e1f7ff651b73a313b563f057cf2543aa344871bbb58204ed97be8de1d491728b77c81262501ccd8b3a9c498425a861b7c7255c4e5d2351e03ce83271ad86bb |
C:\Users\Admin\AppData\Local\Temp\oEES.exe
| MD5 | 35ebf866b10e2fe65809715ed3e88c7e |
| SHA1 | ff7181cfe7590296386aadbe468bb3bd1f3fa082 |
| SHA256 | 29643af3eb7dba19fb1ee531c3fc77282950f8de7a79b4fd61a5b9613abb21df |
| SHA512 | e3fda78ff03ac67a38fbbda94bf67575df0cadaf654e0c29348841617f4c48265c2ae69076b63fa2d042e1339c6d44a85bfc259bbb11011ddaf826652af3bf0f |
C:\Users\Admin\AppData\Local\Temp\aMwgQYcw.bat
| MD5 | 2a8b4c81eb9740d516e98db676eaaf9d |
| SHA1 | 334adc710369c43dc6207846d3bbb4356ece4f89 |
| SHA256 | 05221f2cc9b6d8ae7e9c1bb417ec2ddbccf50e2d69d6dad0d4f30e752b9e880d |
| SHA512 | c4171edf87e75a38f7c565200a1e11bbb822e5c2a7c1b438abc70f7f920f1d5406cd83518ae9f2af38d6e4ec51649b84018957ac21cfdde9da20305d1ec2d98b |
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe
| MD5 | 9d404d3e65bb3654204e533fad6a06a6 |
| SHA1 | 38bf2f5200826d5c1a67723dff816bc847b371db |
| SHA256 | 3b5287d79ba44858c6a25a71cbc1711624e69b110014af8e68a06aab96014673 |
| SHA512 | a3c4702a275e1d22c26ff0f3c5b0c78061ad36625d9fe167fdc3e65cffde43d60a71065e870f166239d30f2a548400d0bf6dfabd09c57d62ea8c97c8eb3d1eaa |
C:\Users\Admin\AppData\Local\Temp\GaIoYwYU.bat
| MD5 | 05890388de3d94227ac9dd02ada77308 |
| SHA1 | 8a9030643bc7cdf976cc6a3855c2374ed9945e58 |
| SHA256 | 1b52b40c06dc8dce8bc7e9b11abd30ce44cd72623e31e4b4d0a8997becbff8a9 |
| SHA512 | 168ae6c6d1171a4b379cc582809f8d406b0b16580dbdf57c235b403b2c189c3592f782df11b883b6d30c279a6af91849a5adce37dec9d74eb9aee2783b5e5f9e |
C:\Users\Admin\AppData\Local\Temp\kWQUAAYE.bat
| MD5 | 63e23e2a75170228901e952b650c675d |
| SHA1 | 1f20109123bb241d333328bae1ea922b518a61b9 |
| SHA256 | bd559270d5cb713ca1ea02dccc606cdeb22e2cdb65b789400c2fc27ca65ff8b5 |
| SHA512 | 0a1a1437731ce0158379a359a4617fe282b994267dd2265b2ba71c9058775313d7e55739ae16ee10932195ad1bde2a48621818193cf84863fd5ae651f06339b9 |
C:\Users\Admin\AppData\Local\Temp\BoUQIUAg.bat
| MD5 | 68a8591dee254b344d22f8714d8568cc |
| SHA1 | 7b2fda522e044c7bb681e82ab9b9694da994b2c4 |
| SHA256 | fecafd7095067fb3a1c9f20e55ba937584c809af3d04e15215d7fd3dd1d6353f |
| SHA512 | 737dbf0c20f61896311398b5a2c45014393f56b15d9e5c69db665e1ccd387d335b6374c54504ffb0e383965a9f187299180d2905eebc22e537251e7fd7dd12ca |
C:\Users\Admin\AppData\Local\Temp\RQYAkYQc.bat
| MD5 | 48638dbee30c29066aec8fde36799216 |
| SHA1 | 7397931aea95e66e95341ba1aeaa7c95f6af598c |
| SHA256 | 43f9d9e8f70b6a8e93e777613c01a386217058617b3f2dcca078fe233127fc21 |
| SHA512 | 675f3fc3333c4e2ba468c5c7b5a12b1ccea02cf34af2dfb33989192673f1cabc02ff7e86a9369b4139f0fadea1e1933b2b9ffca276127e164d7d5edbed50487c |
C:\Users\Admin\AppData\Local\Temp\REYAEYMA.bat
| MD5 | 1d7a611d6157c7169316a2bf70eb0dcd |
| SHA1 | 9b3433f30f8322951c942002054caecaeb4543a4 |
| SHA256 | af201d7f1a79e4ee4b9c338e02e55b616bd2bf357cf76bfdfe42ca7ba5dc56f2 |
| SHA512 | e8002fa480763cf4abf79ac8c85faf53ee9d302bdf963da1c0b48969caafa2d7fc8160c62a45568bc2fdea864777893108d33caf67660cc29375119c4b4f0744 |
C:\Users\Admin\AppData\Local\Temp\VAQIksAs.bat
| MD5 | cd456b44f08a993909f7551c56ed639d |
| SHA1 | 1523f47d2a2683f64a6e9059fbab239bda5262c4 |
| SHA256 | 4516bd96ebe517506dfe7d7b4c51bcbf56722e64d40d289e589a1561772d0c49 |
| SHA512 | aafdf9af4c932bb736bc8b92b549e18bac619bb898e78948966516fe1afbcfffff98bb265c0a9bfa390ddabfd11f3d550bc8f3d870860d9cfcf314638f29b663 |
C:\Users\Admin\AppData\Local\Temp\UicsooAE.bat
| MD5 | 68dbf2c87062ecaeca2027b5634503f6 |
| SHA1 | f49fca0da99dfdb0358fa605087cdf9c5d75d903 |
| SHA256 | f526226213c1a0c154c931dcd8f47102d5c858b1b90ac2de80b25ca0f1b11fc7 |
| SHA512 | ae22e1c8250ad99901e74c566158adc99f7d48466fb641bd9842648a60ad1daceb62d9657b55f27acbbf293a29ad5fd36b6b85c22e5c7e0b4d1965e9ba6ea2b2 |
C:\Users\Admin\AppData\Local\Temp\gaAMooQM.bat
| MD5 | 6fec9bfce0dea5cde7803f416c6655c1 |
| SHA1 | c6afd85f3edff18889fd055d45f17f356323f6bc |
| SHA256 | ca0a0e60b6aa2a6d7f3c61df9169dc567e5ad17353f6fa6346cbca8ecd279657 |
| SHA512 | d511a9604d273b2fa762e101054a647d526812a265a3fa1309b45e8bc9a7dfc65cc8fa39977a6cd7146bc34325e80b1c13575d1c9ed68e8918af8225d98538af |
C:\Users\Admin\AppData\Local\Temp\sssYQcMY.bat
| MD5 | 116784ff5727f02ab5417eea05172d01 |
| SHA1 | f22de5c58e90ff0e9fd7a2afaf6c6051267f41f0 |
| SHA256 | bcf7d4017a51fbda7db6dddf27edf2fa211b4344dd6cb322d698d5f3d0d902ad |
| SHA512 | 3b1db3a3b357d237ef2e3c29af318607b4c436b4380dc433264a4456dae5664b8b8f95ad9150b8e22675a136399539badaf59e2c7b5414b4b7907802b39d2c56 |
C:\Users\Admin\AppData\Local\Temp\wcoUEUgs.bat
| MD5 | 916f9c547f9be18bbbaf45416afa1188 |
| SHA1 | 870caa0931205e80a2efecfe106a2578a5abd8fb |
| SHA256 | e0f05c9611872f229f34073f0f872c6dab728169c2c1ba644fe9fad6ddadfaf0 |
| SHA512 | b72488fa8cf409811a617d4a55dca9a28d8dcd0f51c521629e680fa7e464effbe49feb2543d75ed21fce1126e7e40e49524f1c95cebcca9cb84b75c48c3ec868 |
C:\Users\Admin\AppData\Local\Temp\xiIMwsgo.bat
| MD5 | 103ad58b8e58b942d88540c24e0a3147 |
| SHA1 | 006e63501217ee02a5d66f10573a6e998e892dea |
| SHA256 | 3cdba1555eca5eddc97a35586cf2d171e6e58f705737666ca8e3299b904022f0 |
| SHA512 | ab3d28a57f30d44e761f0da190c1312c0e52da4969ecb71ea482142bd1b8336d1402c61b49882f543e4adce1fc89437d731fbf7c8a3e4d44da24dfb68c9b403a |
C:\Users\Admin\AppData\Local\Temp\noYIEMEs.bat
| MD5 | e42503a727a2ff9edaea964cbaa7dab0 |
| SHA1 | bbc63457445f7b0185ef67a4312ec22189e327c2 |
| SHA256 | 9782933c035205d12bbd0b84ee2982800763c3f7713820fbb3a7744026340870 |
| SHA512 | f966dae25baea837ed217b29bb58afeb8ebc80cfb3311f9090c96608fe782da706730ffaa9b7ab91beaf668af71810be5b383bbae849c79b1144cb410ac7cc4a |
C:\Users\Admin\AppData\Local\Temp\DSkoEcwg.bat
| MD5 | d74f043eaf8a127bae0e572e205d0f84 |
| SHA1 | f2b75d03b9f77eabb69bb18b0b119e22951c6ba5 |
| SHA256 | 6b56e57bf683d2892aed49e7ba6fe35b2369cfe1dc8c49b08ef86d6980c8bad4 |
| SHA512 | 3def333c74d3c98b32b253cb9ae002ae18c8d521d9ee6c31515c3c194ff7ebfec721780cf9a1c77cad11fd4b305cc298312c57ebe44560361c5253d78ce3eb33 |
C:\Users\Admin\AppData\Local\Temp\uCsAkgsc.bat
| MD5 | 5e4796b6d18e409081c2a2ed1c7a5031 |
| SHA1 | 22c0285284c572528cd71b0e41f704b85c33ad42 |
| SHA256 | 8c35898329e1ef8055cc28cb485c3770c3fad7e1d0340222a9b857c48646a077 |
| SHA512 | 504abc470cfea6f59d159045968a5f877ec7b0184254edcbfd85f924a6e8f12ea983a4580aa4181eef3c45229944ebdcbc005a888ca0277365316707143506e1 |
C:\Users\Admin\AppData\Local\Temp\CgcQsgQo.bat
| MD5 | 7f4dd322ce358670610204f7e2456182 |
| SHA1 | 70d636a0b486e7fb8b8accb53e16fca5d1daafae |
| SHA256 | e75cfe05cf92c3ad9eea3b44bac39cc3c5b44731b36ba290d4b6fa8af5b6ec90 |
| SHA512 | b4b20e65f4af8e0963ef73d921b3b3fcd44cc02ac59a55be6cf1a691fb3f1d63feee8e7efde2e773f19b4bd2550cddfd0143a3ecba39d94c42d0266dde7af656 |
C:\Users\Admin\AppData\Local\Temp\CoQoUQgg.bat
| MD5 | 492d4d2b8af1b136799e90e965315886 |
| SHA1 | e4ae261801b6d2162c161724c9c60962fa5452c6 |
| SHA256 | 665ba14ba19ac8c2205c4e8792215a4b1628a8155bd485d04c315abb4b55c943 |
| SHA512 | 8edd7c1e101c298821773cd5daf791bc00e78bd9169c1eb8bba98b5f79ab7ce711b3b57326ec9d677ad701e5ed2515723d01ac3f75ad09cad22424173a22ee17 |
C:\Users\Admin\AppData\Local\Temp\SiAsUwAM.bat
| MD5 | 4cfc9f33f2950f30e5f1690fb0a9dbe9 |
| SHA1 | 1c9a8291d7069a2727cd8badc6dc1e5be90f0157 |
| SHA256 | 7160c14f3767cecec7203f9dacef150397b134a17107e711e0a48e9f5511a4ef |
| SHA512 | 6c4fe6baba0ac22dd0e02597f099a0f12d3a8a7b3fe14e1989bf00f78197415cd15fab1e1dcffe7d61c4d03adfa7832db974fe154497f4ef440a4d1b1bfd8c8c |
C:\Users\Admin\AppData\Local\Temp\FMEkkgcw.bat
| MD5 | 33b596cffc17eb3b3e5f86d401418caf |
| SHA1 | 521d7161db1d83bd824f088a5de06f02bd029970 |
| SHA256 | 8b309ba516d708cd048be14da1586a0a4a4580b93239a23bb18cd56b31c25276 |
| SHA512 | 47ce26180abcdae0c3110482790654fa6c3dd0b947537fa7b0344c0ede6db82bdd3ab24d94eca4fe0916004571d0847e985b30ac18e35fbc8eb9c3122ea66f9a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 02:47
Reported
2024-11-04 02:50
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (85) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\ProgramData\ykggUkQU\RGYAkccM.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\msoccsYw\TWUogggA.exe | N/A |
| N/A | N/A | C:\ProgramData\ykggUkQU\RGYAkccM.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TWUogggA.exe = "C:\\Users\\Admin\\msoccsYw\\TWUogggA.exe" | C:\Users\Admin\msoccsYw\TWUogggA.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TWUogggA.exe = "C:\\Users\\Admin\\msoccsYw\\TWUogggA.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RGYAkccM.exe = "C:\\ProgramData\\ykggUkQU\\RGYAkccM.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RGYAkccM.exe = "C:\\ProgramData\\ykggUkQU\\RGYAkccM.exe" | C:\ProgramData\ykggUkQU\RGYAkccM.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\ykggUkQU\RGYAkccM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\ykggUkQU\RGYAkccM.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\ykggUkQU\RGYAkccM.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"
C:\Users\Admin\msoccsYw\TWUogggA.exe
"C:\Users\Admin\msoccsYw\TWUogggA.exe"
C:\ProgramData\ykggUkQU\RGYAkccM.exe
"C:\ProgramData\ykggUkQU\RGYAkccM.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWgEEAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySoMgscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikMoccQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSUIwsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUEEQAoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwoQcMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CawkUcYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCYkEMwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asQIsIow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGMIgcEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqgQIwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tscgMswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cusgYsoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEIgkgsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMAwEwIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMYcAIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQUcsEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKUkAgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Osogossg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeQUocMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCUsYoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaAcIEAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkwowQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqEUQgko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUgkMsYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqwkcoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuEowMgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOUkkYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwwocQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkMYsEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKsEcoII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAwQMcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGkwswEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqkEYUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcwUkoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGwEgkkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swEEcYQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgMsEwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsQwAIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOIAosgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAQsgkIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaAUkgss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGEooUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQMkQwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYMYMsws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsEMUIIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOQQwEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roYcwgIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOoYggQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUMEsQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKMwskIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkMwkAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSockAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQgkYYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkAcUggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boIksgIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScQEMAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgAAQAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAggEEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MecoQkog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWwowUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqQkgwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eawUoMIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsEgQcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWgQEIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWkoMQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQoAQkgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQwUAUAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEskEoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoEkIwcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gewMkAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSYQIssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BoYQsEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyEMMccs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neAEcIoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcQcIsAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkYwwEMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkAQUgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYIocEAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCAQsYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQcoQYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCQssEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOIgscMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyMMwIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuIcMwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiUwQEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYAEEAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TugMgwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv KdDXe0snVUqN2glUsRRfpg.0.2
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEoYMcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYkAsYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKQwIgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwIsMAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSMEkkUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.200.14:80 | google.com | tcp |
| GB | 142.250.200.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1152-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2800-7-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\msoccsYw\TWUogggA.exe
| MD5 | 762ba276dd49f27a4e090499922507b5 |
| SHA1 | 02f7f1baaa3a0d4f51ef19b8e2e45da3c089fd51 |
| SHA256 | ea73231b6aeaf7e3a4e4c6f32df9c6b4af45647ab41265095757a5c9b703e3dd |
| SHA512 | cd5b337f0939cc8d1bc8b508205bd7f3ff3fe88be8e102c3eb3b9cfe8761760a24499cfc51cb4cec6d0e1a271917c47635a2d462fdcdb0c7f4a864307bb36b3d |
C:\ProgramData\ykggUkQU\RGYAkccM.exe
| MD5 | 83e29614e5434ce89dd70796e9a5821e |
| SHA1 | f2060768252d7737e54e0691ec9d6cc200e6b316 |
| SHA256 | f3372f03616c220cbaaa6b2940061924943044e2b9853fa3fb9abd7a68ce09bf |
| SHA512 | 3fe2a466b4edebf7ea03ab1e3a2dd5de5b505a5634a108c0704568fa9bbe32b673cc4bff28a187dca1e4e23ba6b901d6696c6f7914099ee2381b55d0eb7c5228 |
memory/4084-15-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1152-19-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2700-20-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock
| MD5 | d342c2b5f3d16dc992db22cb737ad617 |
| SHA1 | 615a98744fb22809454b706174597a4d6b6d128b |
| SHA256 | 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486 |
| SHA512 | 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7 |
C:\Users\Admin\AppData\Local\Temp\wWgEEAUM.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2700-30-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/236-42-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1456-43-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1456-54-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3376-55-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3376-66-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1796-77-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4916-88-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4920-99-0x0000000000400000-0x000000000042A000-memory.dmp
memory/352-100-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4920-111-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3524-122-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3604-133-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3312-144-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2964-155-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4368-163-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2116-167-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4368-178-0x0000000000400000-0x000000000042A000-memory.dmp
memory/756-189-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2960-200-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3872-211-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2632-222-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1796-233-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3516-244-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2768-252-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3092-260-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1640-268-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4952-270-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4952-277-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3816-285-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1800-293-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4692-301-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3204-309-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4448-317-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2796-325-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4332-333-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3620-341-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1456-349-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4564-357-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3256-365-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3204-366-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3204-374-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4912-382-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1728-387-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1512-391-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1728-399-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2084-407-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2304-415-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4956-423-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2884-431-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2084-439-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2304-447-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4544-455-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3572-456-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4544-464-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1636-472-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FYsc.exe
| MD5 | dc33b81dd8a68c1c41e2fd51e39ae800 |
| SHA1 | 9a53c1c86ae447b4c876a3be344267ca1e653492 |
| SHA256 | 49d206a6fa8e09c83fdff37aac7a350266a5e26796e611cd97db848b5db5fbb5 |
| SHA512 | 0a6723655b0b786e7fd9ca5efd3d6d8389961eed333fb53179bcfc9de1b45b453c550657c23452276f419006f1e520e32897b0334a0b010d73dd1e65b4d62df8 |
memory/236-495-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fQEu.exe
| MD5 | 0fefc93c562d5be641ecf5bc5d692b97 |
| SHA1 | 15beb331f683edfcfc0364ff7ff8e4be7c136676 |
| SHA256 | 0dbb35613cbda03092b381104bbbee6ead00c06cb87aec5a5663a3b0b6fa6e79 |
| SHA512 | 3dee9edfa193de69d2115d37be012deffeaaa9594810e8c2e391e5f5d1cd201e5404bd64efeb0e36c7990f35bca3bc3336612421ed1287f0175a4a8b772d29b8 |
C:\Users\Admin\AppData\Local\Temp\lgkS.exe
| MD5 | 0260e85a0c5e9759b1c890805a328cbc |
| SHA1 | dd9b601269fab39fd854dd6fa7b0db376b793b41 |
| SHA256 | 776eb5bb42a264598594ce23a251b0d5bc8e7ef32da7c99a0d470499ab1f3bfb |
| SHA512 | bf281ee50a07825e2ad7cb9c8e21d7bfc5f9ee87b5d78961f000b69af215dd738ef32509f4c468daa2f53b28e5bb7d9a8adf03d843fb9442a250bd0c9f0c22c1 |
C:\Users\Admin\AppData\Local\Temp\FoIc.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\eEcg.exe
| MD5 | 19634ce068d51bc43d7c26067acde4cc |
| SHA1 | e9f48473010d6e6b8b320f75958f888dbb1208de |
| SHA256 | 9dcc3a71ac21838af0298389355aa469f339414a35f2635c41ee728592f40c75 |
| SHA512 | f70dc4474ecb4d999717be66125ac5dab42423333541a5d431499a87e855596189116c82ddb74ab069b2ee5f3b8ddc2fc91507c61bf2f6fb1e7f10ca7c28dc26 |
C:\Users\Admin\AppData\Local\Temp\BksU.exe
| MD5 | 25d08201b43c81b3fa191482a76a4807 |
| SHA1 | 4ec76d9f5b6dd3775eff77caff0fc64c8f87101a |
| SHA256 | 3c7660dcc1bef6cc95baa5b4af3406d0d01d39cac51a20186a4efd61a67523bd |
| SHA512 | 14e04d7fc598d5c54762fb926100bc9cad03f1b7b2441bec85bdfe1a61fe6de055c912c7dff41e499b1b5cc3d27c709bc98998ad84b2b392d2419003730dbe2c |
memory/4892-558-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NwsS.exe
| MD5 | 203343f0c9acf1bf7e17695fb946a322 |
| SHA1 | 5152fcdbf426ffeed5b86707166e0956c8763943 |
| SHA256 | 8f9dadc81f1d13eb95d52c66fbf3bf1b19a41771b4876fa55a80c5007229fcfb |
| SHA512 | 8eec6ad119987e77022400c28fc8726a34578cc6206b59992ffc844d2765ca242a24d1ad0b1d131fa1034b6e36b5a5bc43df7e0e3afe9ca4231c54524e968d6a |
C:\Users\Admin\AppData\Local\Temp\BkwA.exe
| MD5 | f63012bf294e20059283004febde327b |
| SHA1 | 95e372d04b2a2584f6c9f9b3a75d1c1219e91aab |
| SHA256 | accbd63a4eacdd27dfe8a09afb27d343be1aa97306dd315a384193f1f962de13 |
| SHA512 | 5753dce7a819278bfb1cfead0ad13200927450a2397bb76dc2778307ec3a762ecd5cc2eecbeb495fffb48acd4d6a567b71db595397a39b5c45346b30e0b999b1 |
C:\Users\Admin\AppData\Local\Temp\uQQG.exe
| MD5 | f64214cc5e8d04b7bea59cae61632d6a |
| SHA1 | 246bd22c33c74f3ab0d36d1dea83c4b97ef6cf74 |
| SHA256 | d37ddaa2b6d8e3463530bc9e89d38b9de2f04f43d552eec3079413d263e24bc2 |
| SHA512 | 9ff1210a6ac3e980e85ff93ae7b7e5f3864108ca35f77972acadc037ef7873676991357ae7cbe6fed36927befb04ef64f87e541d5b52fc31201c430fe33d1d98 |
C:\Users\Admin\AppData\Local\Temp\pkou.exe
| MD5 | 33211a9d97c9d19896d941d57eb31a7e |
| SHA1 | efbd097136ac652531d8900fcf857dadcbc4516d |
| SHA256 | dde864656f1391a3048dace26d0d88d79f37960b3513e6d45c05b75295d43f9e |
| SHA512 | 5af6b23082edfbd76efc4a14ac6e4f3692ec39808ec2ad58da5b022ce29d3fe6a9028d05ca0838db3368d4ee994090eb2b03d9129f4c1a98f4ec963aeb925dc5 |
memory/4428-622-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qoQI.exe
| MD5 | c3ddd697fd4580ec51587fe381e0f7bb |
| SHA1 | ae0228a4038a39e34b3f64848bcee41abcb58a9b |
| SHA256 | da9cd995aaf4bd08075454652c5ceae3e89fe0618eb3c110e615044eee6b442b |
| SHA512 | e5d99735aa02022d49509b3a83940a51e0a9fe7782ba6475e2ff620de20f2efa0f8529be57f231f1f1512c91f079621ba89cda147f679141c34dad5358793849 |
C:\Users\Admin\AppData\Local\Temp\tcku.exe
| MD5 | 82b59b67d2ffaa36d5d6b1e0fa5e93df |
| SHA1 | fbaf9ff72baae4a13c252535fb6000995f7fa11a |
| SHA256 | eb3c614d2ba240eda99177474da6c96a60af5999d116c60d59382ad4c3e13630 |
| SHA512 | b49be0b80b501bb33ecaf4bc57018bb18c3d9e88faea361b80566ebeac5ba56c7ade3740479037a50d18d57164078f5b867c836ffb4951c4497cfc2ff3bf3a34 |
C:\Users\Admin\AppData\Local\Temp\Bgwq.exe
| MD5 | 5556438797ef34dd7f659f13ffd59617 |
| SHA1 | 62be2b8eb4900172e94b058b6238eef08275380f |
| SHA256 | 20b8e773b3491ccf091e6e07d291f4e8bd204a1e1697de7c1ad7797f5876962d |
| SHA512 | 8a23d1a5994a12ccc9d2616883505d7cac9ac548b072be202c2993ad7494c78971ca7e7ba50ae5a9990524d38a5d036d7899e1b65548094e7965365ba505c9c9 |
C:\Users\Admin\AppData\Local\Temp\Ookq.exe
| MD5 | 75fa56e6d5a9978bb58bdec7d8413aad |
| SHA1 | d88378e67133af15a104965994b31151554723b0 |
| SHA256 | 58817766eb8247411c17f291dcc96136e19914eed329a22d5423ceb71b477e1a |
| SHA512 | 7c34a41277cf8d57a6460ee2320117c0a26c87792d231910afbc6afba9ba26e34b45b8a543bfbe6354a07acd53cdb57fcfbb945ba99d1b9712f47377af7840d3 |
C:\Users\Admin\AppData\Local\Temp\kYAg.exe
| MD5 | 5cc0fca4414be8c5dfcfbfc293b44ed3 |
| SHA1 | b2645d6acb1121e819a9455d25c0137a84d8744c |
| SHA256 | c29cc64ba7359d240bdb3a9c8325214b5d679a930db0e3d28368ae2f2eda1c74 |
| SHA512 | a14e62ddcd045caf1f187ba8c8e5dbaaaa9aabd96180e30a2d5188dce6138538b126f1559678bcd3e388ef44f42de1853c723921ff667363f35aac3ce0bd5482 |
C:\Users\Admin\AppData\Local\Temp\KkUu.exe
| MD5 | 59ac1b8397a3dde7ee8f4ed8d5ec092c |
| SHA1 | 05c7064771c28fdd10ddeedde468a5ce160dd443 |
| SHA256 | b299759729f4c0a5dd5ff31c64353c463816e64bbc3460144283d2d25055c03a |
| SHA512 | 4a34b6c28bac789fbee6e94e1e267c398747022a542288011d6d3519d5a600d1aa7926faec6bb53bab2e8f82606ae4fbe20b0c2041629f1e8b8ec84f61bcd814 |
memory/2076-728-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\asIa.exe
| MD5 | d2d596e28f9ae4834fdbb6709d000aca |
| SHA1 | 327a0558417ebc89ef171a2e6f133412eb855cac |
| SHA256 | a449a5072c0c77e5d3fea75e948d54e1244e4fb0eaead534596ee4f0869b26bc |
| SHA512 | 3b0c90a30e45ac1d20de74383781771630f91eca2587b6da3cce0c0acb31023d7d6c8f342a2432c8085dd544d7706ab8143940fb17ce145075b03493b864d5cc |
C:\Users\Admin\AppData\Local\Temp\tgYm.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\zIQQ.exe
| MD5 | 56d601cecbd1272e6bca3e683fa7065c |
| SHA1 | ecb779a115ef0eedb21bc0c9286ead7b8dbf4e71 |
| SHA256 | 1616d726f4dc08d2bd6709695554757894183017d1b8955317810f63fa8cb1ed |
| SHA512 | 160a7530cb6361528fd8ea6a874615fcd5da979f15eafbbd825cf43c20bb9e01dd4c17be5d8985816340fb9c2ffebf46b63e180586d5a040ff27acdd0d92b5a8 |
C:\Users\Admin\AppData\Local\Temp\dwgG.exe
| MD5 | e6f7fda48ec4f27411f0be2e0d190592 |
| SHA1 | 877bac19ff5d61000a71fefefecbc939754687c8 |
| SHA256 | d41f5fdcaea17b0e938d723b3f6a63818a623148da1075f3f8da1ed7352d3be4 |
| SHA512 | cd34202d4e984a46b8cb741fb6cae0b0d932670263e1f3cbe95566d5d7038f5c919dc56e2bd8674ba7725880b184690f4f51ac16ed518bb6340b31dd6976fa45 |
C:\Users\Admin\AppData\Local\Temp\rkoY.exe
| MD5 | 2564868f4451507d63467f9646893d07 |
| SHA1 | 9a44149a9377125131ad33d5244bfd10a8ddf983 |
| SHA256 | 0b53fd9d5dd7e9526bda4c75a1cc5a0b3946321ba4be1a2034a19d94ac0cda56 |
| SHA512 | 66fb8f1cd2d5f51916d4d20c4490951ceb18e6201d316c6e8d8115672518b24c1ad7212fdcd01835c6a7196d08795916bea117e145466afffa3ed8a3af1812b0 |
C:\Users\Admin\AppData\Local\Temp\OcYQ.exe
| MD5 | 3582a5ed1a8611df00516a14514ef21b |
| SHA1 | b5f3176cce2cf23d5c22dc30bb6587a4a0c6919a |
| SHA256 | 1e03de79cfdcbba046dc58d4ea839d5086037056d99933a91ea56253619dd61f |
| SHA512 | 8b14a23a1321a6fcbde8a4d7937f3586983b4b2f52312977fb2d38ab81afce9441facfb03708e5cdcde82b3e7cf7769fc0a06af85e2e598f922b0bc6c0918c2c |
memory/3996-792-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wAEW.exe
| MD5 | d8fcacd8d512e6cd39ac25d57e100b28 |
| SHA1 | c29a571809471531acb267aba1b79c8a72a98ac9 |
| SHA256 | bc13bc818e85084d0673231660d11af1a8cf4440987682817c4ec5a52f994280 |
| SHA512 | 7b98589dd6715904dee68b7ed4a092256fef69cb76d00318ea5b26be4a3cf9dfd8ad2523b3f6bff872edf6773d71f887246d2936fddf0d636942d14d63176e38 |
C:\Users\Admin\AppData\Local\Temp\xsYk.exe
| MD5 | 3dd50e512e4cd96afec1dcc348529f96 |
| SHA1 | 927a9e8c6ca87eeee83b33bcc27707d22d955160 |
| SHA256 | fb300f777c2f589caa456c486db9fc04665f563ded456d4568c7add54c7a2e2e |
| SHA512 | f32ef0a404a586d8b32603be5e9d3cc200ebe10caccc9f6667cb60cda4c3b64b2325847928e08674a6da8d364a335e9d047e399afbf4fd82b6b28fe7777cb3e1 |
C:\Users\Admin\AppData\Local\Temp\EscK.exe
| MD5 | 393880394328fbf79b4de67142dfd880 |
| SHA1 | 19e69bad6ac2fe9fe88807ff1476c8289a6bcdbc |
| SHA256 | 39554617b114f2b29fc352ba103ccefc9d3cb8b9362c51e8489f9b02d9bd1f60 |
| SHA512 | fe0902f5d72c2a399babd0dd6123ac246e8a0fa18a5ce8ea2367990b3d58ade7c77b59c7f1bf0e99756281e2446fca29d1e653c92e6f6a09d0318e7117aff8b2 |
C:\Users\Admin\AppData\Local\Temp\McYQ.exe
| MD5 | 25801e7a2e6d6b4b4bdf25192a43e329 |
| SHA1 | d54719714c5a58ca49cbe0008dbb0efa2c7c1977 |
| SHA256 | 77ce218f36efe598652d5083c9bd675cecd43d3455d7925e2a05f0515149dd06 |
| SHA512 | e597f4c7a77391af5770e0067cabf0b8eb7cc86dd64a0e3c5091238df062b51428a18b2c8581868635d0314fa25f25baf5f2ec6ab1d3868756348f7a304775c6 |
C:\Users\Admin\AppData\Local\Temp\tEce.exe
| MD5 | b2031cfeb812d9639f61a572463fb98f |
| SHA1 | 26660f726458b4075f2c7e607a4bc4683cd59735 |
| SHA256 | 7234c0ce41855ad34a55d12678b91598509f1b95566fcb292f3872081a8201af |
| SHA512 | f1a71c962d87da09a98875e09b9fc5087bd9763ef7630d132666e4c8e3dca1d4dd248a8dac5cfed29150d8f16690150072faf14ec319339a42cea9d15f75bdf2 |
memory/2136-857-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GgkQ.exe
| MD5 | 7e400de21d1fb334923c34700b6bf0be |
| SHA1 | 35a88b000034a3c4104de1060ef3b4aaf2e19555 |
| SHA256 | fc0edcd076f5ca189cc8213f85278c2765236139caf1931829584384d7503a88 |
| SHA512 | 3194ecae0b85ce76ccd91b71679e239db5e8e7fec34255c28e42f082bc1bb802cd7fdfba4d12e9560693d26a13d35d7933ab438bd043a58a26ab789f4f535d93 |
C:\Users\Admin\AppData\Local\Temp\pscg.exe
| MD5 | 252968b50efb58ff326a4559b7089ed9 |
| SHA1 | 66b67ad67f585b648bda784e36f4ae01d2df27e3 |
| SHA256 | c0c539120a46e2aa752a38057de2a10b6ff285335cbd71fb0468bee1f3634824 |
| SHA512 | 35b7e8749b464f348da3f38c18eb645521ffd9524c2e20944e1c3f3aecaa376846bbcc9db6b31c210b0f1c35b5f33014d6d4b9e02d35b42100df4cef9a76f165 |
C:\Users\Admin\AppData\Local\Temp\UYMe.exe
| MD5 | 224c612bfc28346d0ed3f71ddc38a345 |
| SHA1 | 9f8678751d27f02b90be7c68d3a4784d8af38793 |
| SHA256 | 6206a04f5954c9dbe83f412eeb73ebd32b4f3e9209eb5106dac1854ff209ae54 |
| SHA512 | ab7a7d9f3bdccc7d2d4888d928d589795583c34400a23eff4799097b94de5966f5172dace410851e2f3696241660bef470ebe7e6039cad22933fdfd8a5a1e2b0 |
C:\Users\Admin\AppData\Local\Temp\IQAE.exe
| MD5 | 742c6be945bd80d4a0f7445a1658fdf6 |
| SHA1 | 14c7b0271901a445c483572011a5777c161c1516 |
| SHA256 | 2219dae9810cb26cf8ce1b49ed112307d6ae897aa5032197208e0c35cc2f2da2 |
| SHA512 | b993b6958a245bdcbcfa5693be2be70ab712a8f98934758623f736a19f6efbf52ee11dc684ceffe51f2fa125d4d321fc6039cff85fb1ca897f51fe5728be7968 |
C:\Users\Admin\AppData\Local\Temp\UIkq.exe
| MD5 | 68e3812716d8ffcb08777ffbe6a3042c |
| SHA1 | c8ac28c9d6446ebe4d2ae0cada8e93c037a0b927 |
| SHA256 | 5728a9ed2376d4fe7f3ca00c7e4bf316491d8526f9e060ee15e600aec446a13b |
| SHA512 | 9b48bbb9209d65709e4c07b33e120dc8f4bf6da723962d37eb91c94ad2242db762f3ce63f61175abf9f0bcb6eb380f1bc2bfe0946d22ba2cf618d783dc1f1582 |
memory/2380-948-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tEoY.exe
| MD5 | 8c46abd9de3f9ad207feb536d628b7e7 |
| SHA1 | ec25457618dfc2691bda43c7d4dcaef72ccbb0d4 |
| SHA256 | 195a2abda90a0ae5b30e0972036564bce775540d2b3ca782d85b143c1c70cc4e |
| SHA512 | 7d5382bc901e66116ede91aae47288d8e5ce0375f5e4e2b0083dc5e57b6f3b0974b2b4359d0890a12e96fdc3e1937e562d12268fe58a9c9da65eb4d75577b895 |
C:\Users\Admin\AppData\Local\Temp\DYYi.exe
| MD5 | 612cbbe78021b49ccddad47445e37fa2 |
| SHA1 | a540a67cd39ad0241d7e33a09ad72e854fc32e69 |
| SHA256 | 4f65356d4d84fd751b372abfcfe60dfd8e397aa8e7d6d6cda9fb6bde735acc98 |
| SHA512 | 598b574e4af9fb15caf417d078735c15da6f9f914417ad2ac885e372b988b31f609943a80feef5bb92c685a0d875d9c001f4f6fbdc98f1174cf73a5e13885d24 |
C:\Users\Admin\AppData\Local\Temp\ooUo.exe
| MD5 | 5795dec9c3bd07346dd6db0bbb84b432 |
| SHA1 | 1b83b25f8ed5a36f27ed83c1004f4cff86e28602 |
| SHA256 | 487b681ac61efa128f1aabaa86d543f9fc5118f97f38d50cc623cf29b6b034c4 |
| SHA512 | 95a525acaceef398de7e1a055e62232a46faac73ddc01f82fa95c973c36df3b028ca54d68ae7ba8e7b680ec7a1ed08df4fcd0b59970af7c9036eb0762fda8af8 |
C:\Users\Admin\AppData\Local\Temp\pEYo.exe
| MD5 | 65318dc374eb9c97d1b7ccd2dc60e67a |
| SHA1 | 39eba29d00698d131b88616896ecc5573cea8d92 |
| SHA256 | 5b367d09c42281aedba293bb4bcb799abf2801de95dd78bb3abed2c03cba44c0 |
| SHA512 | dbf3ec86aa365164b0fc4c8cb8ee7c03fac9e7d0c05707e4955bb149cfffde08951dc90331a48d8671596fc01c0b21c97ad5b96b6184c29546d9c2bed271e656 |
memory/4564-1012-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SoIY.exe
| MD5 | 77863146ca88c44976f1e56d8bd6d54b |
| SHA1 | 7c745b829711818a01390534bd2b5db91c76b493 |
| SHA256 | 378d8181d7cd2c0959fcc7ad7442638dbddb9394b535d5474618c9529fa6fb3c |
| SHA512 | ae9cf9b22292b649cfd5f3e134121d740ab1c9cf68b562e052dce46395b38cf12359cefb5c8e824c52cdc08b5641eb9e5341ae9ed5e52bc2432a142fe8cce5cb |
C:\Users\Admin\AppData\Local\Temp\OogO.exe
| MD5 | 12fafbaba56c3c65eeb291656e05768d |
| SHA1 | 27a6c64675c3a68dda2e8170c2bd015d58385a28 |
| SHA256 | 70553892a0081b283662388f5d5ea0e90b62d6bc9f740c3a821e11f47bc9e55e |
| SHA512 | 1449203af5af0f6c99168e683f32a20a8a5712f2b73f5f0cd6961c9bc4d3bced7b4dec67c3f722f35293d5296bb818c88ffd25b2ed7ebf32d4bba66732f94fe2 |
C:\Users\Admin\AppData\Local\Temp\hEYO.exe
| MD5 | 9c13b366edb7fe044c46c8d391937c1c |
| SHA1 | 8e46a121ab50cda92b7ea5d9747207deb530f66e |
| SHA256 | 2d69ba164a5cb0b70d4480f30c6470d78135765150f96ab78e7b22a5225f70b8 |
| SHA512 | 35fa4fe01664a2ce53a554f0e105e21d1ba095b698a191e20788e5c6d7326aca14b9077f4322475ad6c0b4e64f0d469789b8c6eb8c1809c6823cdc8e8f5ad6e7 |
memory/3928-1062-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LIMC.exe
| MD5 | 0166ad5ea7d08f549d917bebbc4aa7ba |
| SHA1 | b7e282853c9ed27af6e3e0c4e52982ba22005189 |
| SHA256 | 66990596e6bf36a6bc852af8fdf2d93390f710021cc42c86ec62bf4d39c1c599 |
| SHA512 | 6c11d1dd0b468b613bc769158b85ab58760732b87b36be326598ee4f20d206816a58bbd4d7c26f3f769a976c333e15b18ce1f0f1b7cdc9908512bcc49909f6ad |
C:\Users\Admin\AppData\Local\Temp\ggQw.exe
| MD5 | e08e572979a5e7f8b316c99939303504 |
| SHA1 | c4d82aabf0e22a6e322b87931b87b15983a2b0c7 |
| SHA256 | cfc3cafc2c30857f84967d2e1c0d00b9bc04919a3636e500bc526337e92ea86c |
| SHA512 | 2400bb39dc846bcd23b24f6431b7635735e60a30314fa9b0dafd6dd6ab61575c7cd93f3a9cde15a43f76ec170a50c6687c8a5f34a39ea3e5bdb6196fad8738b8 |
C:\Users\Admin\AppData\Local\Temp\kgkW.exe
| MD5 | dc2d61633ecaceff4fc0634c34386f9d |
| SHA1 | 1d9d8a1dde80eac3c07f0c8a3f21d3f2a5f78430 |
| SHA256 | a8c37d56a94d1dc254f3f5d8def4554f9c4ec6d325ed4bfd1b679e449957f879 |
| SHA512 | 15841a73c2d3060387f0e0f345bc48ba620d3c7436e506c872788302024411b6c4ea1b53de9b401961e569817e10138c5d335e390c3bc68c8b159f74dcbb118b |
memory/4540-1113-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pwkm.exe
| MD5 | 77f421658b73c368afae7ff918089018 |
| SHA1 | aab56b95d38467723ab3c0a997a6829597ff561f |
| SHA256 | 82d14981ee1a8eff010c49963c6b0d50e49c6eda7b1574ef4ed2eccbe73b3210 |
| SHA512 | 77a36e80eeff8ebffd5ee26f2abd115532f64858988a4f094fd0fa10ac5d738708c4d84d24a233e94df61f402dfec408fddfc821cf780aa63f5ab778fc1ad01e |
C:\Users\Admin\AppData\Local\Temp\WMgw.exe
| MD5 | 1b1f946bad9afc182e1e403c4337c1ef |
| SHA1 | 560a28278e4ad7e19c0ae84966cc4c385afd20dc |
| SHA256 | 06976bec6ddf624c02b8624adc16b629f16a44cad9db9f6bfc79fd252f43b756 |
| SHA512 | 838fd05c5b522b52ba3733e3a31ce4c7387fc05f9f314843ee01ffa1d4ade58516c7508aa4ef90f67563042a800ab6b7b9e8fe3237baed0d8fbb7821fc76544a |
C:\Users\Admin\AppData\Local\Temp\uMoo.exe
| MD5 | b32ac7a1287d62d1a506a316769be3fc |
| SHA1 | 610a44681054b71f6df0c746d6ec6124545ce9bb |
| SHA256 | 4714da0d7491ace48e224ae9458c84bc03d9d1e6d3adbc02d16c5bd3c221831f |
| SHA512 | 9deb7fc516db77cf40d337556cb19a6b3bd543596b62ebc2a82b5a3dfc81fd4c618e28a271653346874e6cd402d5461c9b37d175bde677ecf883ef5b977d3071 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe
| MD5 | 67fbef5c6f04fdfb2240b129880525f1 |
| SHA1 | 2646a9a900424dda59520446d30bd6c6792fc148 |
| SHA256 | 99ea3df70a0adcb8a6ae76db11ee011e89b0b509c67a07cd8de4e891984ab814 |
| SHA512 | 192a45bb2eaa3a619a1f9a2752c3547aeb8947504572f3129184796bd621a1195b787ed56372cfebd8ee02bbccf7161ce4d0dc744bb18c0745eb4634950962ff |
memory/2656-1181-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GcwI.exe
| MD5 | f882dea4a476b7931c54b775fd996988 |
| SHA1 | f4f5c9b66d09e1defc6270735b7d0d2db02cc245 |
| SHA256 | 6d8cb56fe8d842fe071ab017a21e3a5b196d014a1a84b9d552a0bfb63f82b60d |
| SHA512 | fcf1c8f500c801a12e8d91d3d54372d5b6d4064b8f83cecb1be047ff3d24b5c7a214eec6a1bee5540ac4615fb8a02c6ddd365dc51c4575a3cfaf218b5d86b648 |
C:\Users\Admin\AppData\Local\Temp\yMAQ.exe
| MD5 | a65bd38c81467ef4034062cbd4631694 |
| SHA1 | bfc749318a06d44bc370a1fc2f689155b629d1e3 |
| SHA256 | 07fe4660ec6d64c5afe8d50723d4a47112887b0bba845841a0ff4442c50b5bbc |
| SHA512 | 5e88cd233c0c8b44626c8290e2ae26562ab278f4c34954279f142c1b1ab91a7be039452676a20764254c29100257044f76626c29c0e5ae4b215ca2b5fa01665e |
C:\Users\Admin\AppData\Local\Temp\VQwy.exe
| MD5 | fe11af953e286590a048523d6fcfcd7b |
| SHA1 | aaee658318502d1225735f444005b30d8e122a7c |
| SHA256 | 0f553fd2b5275bc25108523d449e8217956a36f9ffbb848f0b6ff45a213ad3e4 |
| SHA512 | 1dbbd8a55479cc936e530369fd5d289ce36763c3a8c6384180f40ef74f2585c02f7f46bcc43f4c25db8ab22bceec1df08826070fea220a5ff2866667f5366c1a |
C:\Users\Admin\AppData\Local\Temp\lIcQ.exe
| MD5 | 4af17b9d525c774a3e705ccf2cb4add9 |
| SHA1 | ae7e3aa4c194ce205d98df60f9120a390e0018ff |
| SHA256 | 2acf3cdc8fcd91d042b858f60e820baa97877583d27861ff484f5205aa38234c |
| SHA512 | c85d5be94a3c6e43ffeced2143a243944069e86611c3bf5cf58d6cd56a98739f79fada01b8bc89f46fdea87268276d4dd6383e8a79525bbbfb9504f40a50ec7e |
memory/1512-1240-0x0000000000400000-0x000000000042A000-memory.dmp
memory/876-1241-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe
| MD5 | 379ee0c484855607ec407cab980731f7 |
| SHA1 | c2295b6994d20395e06556bd203bb9336845c3bf |
| SHA256 | 1232fe027bc9fafa13fa1c957ece5209a6fbed47252886c1c619627d976ab9f8 |
| SHA512 | 0a4b233b4e7a821dbba10378bb8f2bab277eb5ad33cfe194d16cca8562022fc5a169c57eebd1d2e53dc737a300ef9e88c1665bd713da57249d8b3f0fd5e0451e |
C:\Users\Admin\AppData\Local\Temp\WoMM.exe
| MD5 | f5bc2eb4e9c61fe5fa63036ed06d0353 |
| SHA1 | e382475c39743510f0bdd66ef57b836d1f4dc797 |
| SHA256 | 5e40214aab60cf569767a490dbebdd2c08bb73a87962bb872705b914106bd7af |
| SHA512 | c4f2311a4d2350fff1dde3cbc87aac8763689ccd9c70c8da674ba737629485db46a94fdaa85e478ffdf5834db0802e546bad789de9a7f1b04f7b93837f1697b6 |
C:\Users\Admin\AppData\Local\Temp\looQ.exe
| MD5 | 24f381b64b672cab1c40ff37d0c21018 |
| SHA1 | f12027e70c3a0b3f59b809ecb637fd2cb9f58fd0 |
| SHA256 | f23f28b8cf4014e1a6a8c44082fa954104c33ae50bcd6eafaddc75e2d51ceb6a |
| SHA512 | 876bcd9f81e253868a4655a43bb2fdf5ecfb9f79efcb41630b0d4fe1d83b2ab6940a7c20b6ca2bddc2a9926ed0edafa6e5f18acd8c3207bc7c1e0ff6ea13bb00 |
memory/1512-1292-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kEAw.exe
| MD5 | dc25245106ae5752455cc4009ee1ad90 |
| SHA1 | e28eb3b1dfbc71ed16c3550eb34dac57c680fda5 |
| SHA256 | 9065cfeace07d8501ab033ef53c244a77088d281950e2cded70112960004f925 |
| SHA512 | ce538e6422554b2d2bff49e0468abde3a2bd56687767c1551903165ef9b0e0962eab324c885016ff967745b0c6beecaa0052b8e8c288c64c02f2bac35c46505b |
memory/3872-1291-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IQMG.exe
| MD5 | 7513e929ab3e5dc31909a09a98489890 |
| SHA1 | c668bf0b8dd34931bb40dc3a45d859980e483efb |
| SHA256 | 1e14d2f26a1aa4090f59476b437900bedcd19d66a1973bcf0e54b8f1e1429c0d |
| SHA512 | d6ffac089f4245e19e0d82c484a191f259a6dba9bfc5f44414b5272380da5ef5ffa742ae88c4f58ebec52abd57040c1210edbcdfb4bb7042f5f418b9c725685d |
C:\Users\Admin\AppData\Local\Temp\MsIQ.exe
| MD5 | 6ed2dc240bc95cb1347d059a53f11660 |
| SHA1 | 60c401e7319f038f3ff3511b776c040ee0de8032 |
| SHA256 | c7e20b63dd453a6ddc4e83346ee4b3de743994799bf4c0d45a7dc19c6698274f |
| SHA512 | 8d8a9453b9bcb2689b242d8b6853083925bf5270670605f8e77f3ae6e85821b2e5441c1eae580082605acc53a471a0c23d7eac40400320576365a2172c355d51 |
C:\Users\Admin\AppData\Local\Temp\Xkkg.exe
| MD5 | b93756c31a049ef97ae327061fc3a8d8 |
| SHA1 | a190734805ab057d66762091d2f6a2715e056d96 |
| SHA256 | d110bfe840d6e01f633c25bc531118385ffb1dad9a191bcce749c556e901ec9d |
| SHA512 | f42fb246850ae0a92c89233617db82301de3c132f2881de2c9065681424eed1e07d12ea187dec290640dd9e89103910bb1166a734aea6aba147562dca8f47e9f |
memory/3872-1370-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gAQI.exe
| MD5 | 1527ff12b88668a10635e92b33532152 |
| SHA1 | e1704b10c7c2805bbe3939d40e20b213a1cc1be2 |
| SHA256 | 8370d503e70c8efcf2f86a9cde1b22c53fa65b8ecab88c60d2766eb3fb42bf67 |
| SHA512 | 3994a132a44cd8406632c7d6a2c8782a9db9448958c53a1a8dede45cee6f222600a03df9c2b1acd450f4d8f889c39819ed5a9c91ed172614dfcd8436eb223658 |
C:\Users\Admin\AppData\Local\Temp\EMIS.exe
| MD5 | 819dd741d6107c028576e479fbe99b1d |
| SHA1 | 6de8c645f39ec1f2c579a65e09253886672ba304 |
| SHA256 | fb5ef321ae8bc403b1aa8420244e70349fdea1af472d50a3ddfc1ddb5d23dda5 |
| SHA512 | 3a420b77408307397b3e76e471b045db15bb80b58f93708315c0bf35638570989ead8c3cfcbfd3602c151f0f7a9b0fe2d77d3f3154ddb79a1fea4cc13a41d963 |
C:\Users\Admin\AppData\Local\Temp\PQUs.exe
| MD5 | 6e92a856e395a5681095b816ba25772e |
| SHA1 | ebb6702c33703303d410f5d283d85eebafa56137 |
| SHA256 | 5ca20b34a582bb01089c17c5a44f3dd21bf22709222c1642bcc681f7e739d2ff |
| SHA512 | 36ff830019ba65f67f76f1634156d3e1e6f43c04176b8fc74cff3e4c785987d1eb8e4bfd96e61a2ee097eed5e8670cb71d7ec1a222b840703623a37d4641663d |
memory/1532-1420-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wIIs.exe
| MD5 | 523f1d71017faded2efe51025fc212b5 |
| SHA1 | 1d1af97d5bfd6c8440d9af86c83b426dbdfbfdaa |
| SHA256 | be8700eac41d29c78fa717669759f3c3413616c038dd3a6e76cdad03e2a6f4b9 |
| SHA512 | 71cb89fe39994b916c5b4200e957fdec08a7b6c0b809a98f05075b0bf15f62045f576d25c84be8bd6fa44f6e381d47d64f780552e0353d49ffbcd56f14b688a5 |
memory/472-1421-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QIYQ.exe
| MD5 | 01050111fe988a1e722b8bb3f98b7435 |
| SHA1 | aa0468170a694068437fbaa16d360ca78a9f610f |
| SHA256 | 956cedbdec0704e1f4b3c9d655b0e2f0c7e662c68d057017f6e5f36e735fdcdd |
| SHA512 | 16f71f7e30165ebaa569cc99f3a36e59d4f3c10db9eb3970a74777996078dc8aabe08d26715619c34a9cffdf480728639fbff4974cfdfb1bc89386329ab4620c |
C:\Users\Admin\AppData\Local\Temp\MwYM.exe
| MD5 | dfeb7f374c84e0762103a04c2c76c6aa |
| SHA1 | 5a247bb8fabf9d9a751860fe80f0db50da61efeb |
| SHA256 | 63a7ccd2c4ffa55b2fbd4398cc514c65dcffb02677df45731d04102e3241671f |
| SHA512 | f41703540c3b4aa4c544f7b6f198e71d554873dc9687af297eecea307c61a27911590d9c3283c828f339f206fed62f7f23d82d8ad6b03b052c20208bf9a1b9b3 |
C:\Users\Admin\AppData\Local\Temp\OIcM.exe
| MD5 | c52bc469b6acefe06632531a0ca746a9 |
| SHA1 | b5b00dba228d21bc262c91f5d6236e0fc7ecb36e |
| SHA256 | 0a8be1a3761d9bd300e7858c1078d6bd95b7cf007c0bf563cc47f81f53ba5a46 |
| SHA512 | 94e652c0a7e1346eca7bcfb79500a4926e099a06e07d19059e80d4dd475db649e3fb43e470ce28e04d8c4bf1bd0f4b8bb8b966cfe1eea50810359d4d679344dd |
C:\Users\Admin\AppData\Local\Temp\ecAw.exe
| MD5 | 0094e656bcb8361816140f42404d7e67 |
| SHA1 | 4165531ef98dc9708b8fb23639fa6cb85992b714 |
| SHA256 | de4bc2787350e6f2f6b36edecb2204830ead2912f1fa2b2e3f203feb44c86bc3 |
| SHA512 | f4f644c303f7856fa9b7857162748187cd17c4eba348bd6eeb4c16b67088b5efef884794186123193bd9742ea804964e14a80bdcc0de32915eb83cf74372de0a |
memory/472-1484-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cssW.exe
| MD5 | 588a4353c831c1b9376b5374eb81e14c |
| SHA1 | d67ebb44155fe9d9d65e9da40481bf23beacccc8 |
| SHA256 | 42b9cf489ebda1916bb25c22fddeae5e5dcc9d5db6f08c1c4b7b5257386275c3 |
| SHA512 | 0c8153ad2aa311b4fb52c76f467eb4169e1a8a7356faedf7f2f5c943d00f08c32af4021ffc94a85a80582bc25074c80fbdee34a8798be5b4c709f99c98c14c34 |
C:\Users\Admin\AppData\Local\Temp\vQAo.exe
| MD5 | 14c95e271d4dfe2d5b8d3fa851d248a9 |
| SHA1 | 7ec75138693c77dc1183aab7650629fc8369fb50 |
| SHA256 | d3b697e3077be8605455f07c42a35255493edb5f3ccc05b2767d9d306a97937c |
| SHA512 | eacad1c9199d9f71f485ed388707e920f8dd728bbb1b6bb29b6124a552870f6d3d53c585e7c03c2fe25648ad47b5ecf2d96b12122f49a698a7300411684dff9b |
C:\Users\Admin\AppData\Local\Temp\DIge.exe
| MD5 | 4cafbdb552ca7569308a163bff1aedeb |
| SHA1 | 6bd28dc8d41e91f25f78ab513e5f7462f9deef1c |
| SHA256 | 46f945b7c5a916bf79c6f177b61b5edda36cf0054754238d50228314b929d665 |
| SHA512 | d367fa474b0f6d20dc1700714ad40dea5464ae6996eca9a61535a64d5a844a08ca82d1e35e2ba723f5e8d15a93f2c2c6aeed477eb40b968a08c8634082dffc1b |
C:\Users\Admin\AppData\Local\Temp\eUAi.exe
| MD5 | e16e4007a74d89950a9713b248237652 |
| SHA1 | 0510872abf69f178941b87dcf3369ae4a7b02a94 |
| SHA256 | a5202c837203f9dba3698cc215aa6219df4335a2232994ccc82531b5a504ef9d |
| SHA512 | 509c636e8c4ce5398bedf9243ee9f8829997ec7b1671ce953c5f6f0e62db7a4076f5b12bf2e24fbe247f10cd81c0df39c62c87dc5438f655986f51604ec71fa6 |
C:\Users\Admin\AppData\Local\Temp\pcIa.exe
| MD5 | 31dee6a57f7aebcdf2fd76dd4a721107 |
| SHA1 | 2b9b191537118317090f285329abf6fe6e7b22fe |
| SHA256 | 0d41a80c7e2a0c7b097db012fd0272f32c3844fd9efe6c4b56e294e6a84a5df2 |
| SHA512 | e32b226a0419e19fd44886574a9a18cb93cb70f3ef9e0fe7b2e5c928407c1355902b18830737c0723ce89371dc8b71cdd1f97988c19f017472cf3065ccfcecac |
memory/1140-1559-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kkoc.exe
| MD5 | 2c6a38319b45fa6e13d9c4edbb7bd54c |
| SHA1 | 4b64888910f02bf6802c5f89b5e8e6a650e9787b |
| SHA256 | ac7ad0c2b435448b8714df58082c5ada1171d01e361f0cb43435f6500f70ad22 |
| SHA512 | 3ba1d979280f157ea69ce97a16cdaf351ba0104169185449d710c43e62c3e8a79682a2ed4ad19509584ee14d2672d84b8c2c897a8154f7133769e1753fe7ea28 |
memory/3816-1577-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BscW.exe
| MD5 | ca655096fbf7fde1212f994ddb9c4331 |
| SHA1 | ad8aefc1e2ab4c3577853ef7b149acd73efdfdfb |
| SHA256 | 9a8113c84cfbe0ae2e31cd2bb1ec6b18a4e3777c956dc066ffe822b6a87fda51 |
| SHA512 | 80bf0120eaf7314c31ca51f51f186a57a8373c05046e414e61c873cbf6fbf713a92f1bc83be0501f993834298bcd576b93b5bf98b6e7419bdbd05b10fae58433 |
C:\Users\Admin\AppData\Local\Temp\xAUM.exe
| MD5 | ce5826033da3ba45a3730d7c109e8915 |
| SHA1 | 3f033d7822f387ec08397e3934025942288e7dbf |
| SHA256 | 2d8ee909f79dfdf1a02b190f0dded499f7cf1e33dba6b840c569272cd663edbe |
| SHA512 | 4b4da6912decb21292abca5e7de7919b363e10179c0f6b0864fe6171a18ee0c583ab4b9302830d2644091dae1e4c3c3a953b59922c6ad58b78f38f99a92b8d8f |
C:\Users\Admin\AppData\Local\Temp\Jook.exe
| MD5 | 4bb40dd9c6a5048c7becf5a7686055fb |
| SHA1 | c79e9b7e76a044f63f2dc38fb9a934e2d1f6bd80 |
| SHA256 | b6bafc63eeb7b0b775c38031d72f144ea1b7dc1821379f5effe914f06a89757b |
| SHA512 | 67a3c9490d3ca93e323dced5c43330d3e3ec7018fb810695b55f33ac6748d05ab0d403fabf968d7c022006b792b5d53cf3dd38afabf85b9204c343b5b7c76fc4 |
memory/1140-1627-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wsoY.exe
| MD5 | 100460affedfc24eb6101edfa37194d5 |
| SHA1 | 9fabe913646fe80471a1782652859618223c92ef |
| SHA256 | ff14f85bf364f6f56850cedcb94423b6388e04aa6acb3b05666b23df38d5e6d2 |
| SHA512 | 63d197e9e4ed2c7e84dbeb745b9fc3c3747e0083ad9e806a99625b4c0d7bd2146fbfca716f3392921025034c9efe785f0fe33dcfd5e053792e432b13619e8ac8 |
memory/1212-1642-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RoIs.exe
| MD5 | 400bed4707aa9246d3b4984e0a1b4791 |
| SHA1 | 36987e7f1449b4ac89f6ba535623b8844fca59c0 |
| SHA256 | b660973ff9ff93551c89f6be83eef3e144bf77ab1c4538b1211a1e2c1a1385de |
| SHA512 | a2220f8c79e50fd1885eb78e0efcf2356c575f21472fdf93b085926a3d0fcdec3daf38e83b698ece3b0c0990533f24842759fb285999809f2ed7b1eda236170f |
C:\Users\Admin\AppData\Local\Temp\ZkAS.exe
| MD5 | 669f1b7bddf7697efe25b0e920c5cde6 |
| SHA1 | e80232fd2921dbe5963a479e924679b2a3f896b8 |
| SHA256 | 34e33710958f88e5617d51a2dfee578a1645f9b5b8430ffdc4d592b40f4548a3 |
| SHA512 | 2f83e0b5d0ea53ed5e02642d9e3831c1f8ab84d25a7323ce42b7a48665f12d7fea8d71087a52b83cc01e7e1e450b4cabe70e2c65760acfe8d5b54385c9c3d527 |
C:\Users\Admin\AppData\Local\Temp\SEwO.exe
| MD5 | 012b33bdc839546c6ac0e3a62b8ddb59 |
| SHA1 | fe92247622117f169f39d72ee699712efa182691 |
| SHA256 | de042a9463491c6196406d8e1e888dbecffab85cef5bcd41b48d6f701314ad8e |
| SHA512 | a113ff8cc9dcd897e74beb63402ccf837739756e89587c87cf6cf4337dd6405be21dded2453179f30831ea20b9cc94529057bba8214af877c4eddbfcb3dc3bfa |
memory/5020-1692-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1212-1693-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vgME.exe
| MD5 | 7c80ecff05198fd2837beae3c60fa2c7 |
| SHA1 | 87a84d7dc0779b8de70866700bd4f26bb7a612f7 |
| SHA256 | 37786fba1cc0d57d9d67440addd1748c604435a554f66b1021f30b5b9f09548f |
| SHA512 | 6648f132a6758c0b704e222d9ddb68c52b92774f22b890ab16f814a425644216997cc8c30f4fbd095c3a5dbe129d12704be2b47df6200b7cf4459732638734cc |
C:\Users\Admin\AppData\Local\Temp\CEkW.exe
| MD5 | b50a356cbec767a9076c635a42b18313 |
| SHA1 | bc17a8897ded98f79c333fe6bda9b5f318f5a0ee |
| SHA256 | 4e20b9c72de85c7246732d3c22348c17c926dc6ec0e64fc51b3854ba708aa66c |
| SHA512 | 2557678f961306fee25850881cd3c6c405de2836a9ac9ff32a356ff787c87de7c5051cb99520d6021a03aa2d80e3305b39148f098810b765b94b1dad37c77e1c |
memory/5020-1743-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WEYk.exe
| MD5 | e4d8d30ebe76f2d6a382e792c2f54a6a |
| SHA1 | 29cbba7caa4d3eda80c586214cf80a54a9e1ff29 |
| SHA256 | 55f357a747d6fa16a439ba51cc232d164d036fc51ead48c5a7472a98b25b3388 |
| SHA512 | 34e2d09389730d1a9019713c289b3e34f4e921c12daf57ebd3e763d7d0a21ecdabfd96845f8deea26127b390802cb921d36bb20e163260435a54bfea4555b3f6 |
C:\Users\Admin\AppData\Local\Temp\eEss.exe
| MD5 | dd748fa84fd896eeb06b8e790e301406 |
| SHA1 | 13d425d947ebe89ee4bf40aeadb36c2969a920ee |
| SHA256 | 1bc82d990ddc40f6931046fea065913d6a6cfb96cff9ccaef4a5f7f8ee0ec6c3 |
| SHA512 | 757cca0755c12df1bfd7ffbd8fee1eb35c2f0729d1ab31da897c28bb0c93413bd43c77598777178577c704398510f624aa81210e807e8652012533e8be99b824 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe
| MD5 | ab314be3a51dd4a015c039dc97b09f1c |
| SHA1 | dde6097111bce651bfacaad64b681b1f4e08c7a4 |
| SHA256 | a73c60c4f442df8e02869700776e921784404203aab1ff7980d38860abc7a5d6 |
| SHA512 | 49132bb67e29a1bf7552c4e1f90834e0a34dc8ee34dd6ca2195338a2973aed16fa3efa8f59692cea27b16df9640692e03049873bdad76df5f576dd04d712fec6 |
C:\Users\Admin\AppData\Local\Temp\iMcW.exe
| MD5 | 6c10673d85fd99f9083240ba1eaa8def |
| SHA1 | 496576a32852d40d3e772687f5d516c58fca3ead |
| SHA256 | b67964901653e5c83b70461e54e100897678722cb23da104618b4b72b2b19971 |
| SHA512 | 1bc3c73188aa3bf03352d9675e088e1c7a08ba0a9987f2cdffeb901272d000826043640778af12e5bd8ab1670450aff9483413172a892aab46b56a7a7dd7abca |
C:\Users\Admin\AppData\Local\Temp\cQIo.exe
| MD5 | 7225def8024b85581e057be3a72f555b |
| SHA1 | 5913fd5493615102cae23af0cafd11e0f5f2ca5c |
| SHA256 | 82660de1cc610f9e4eb87869a0d67f144abca2c2f35501572926b64f36f7be27 |
| SHA512 | 01fb4bc8ebfc2ad0f5e7586dbbd279f61e90573e7ebaeac02e63e37de272b9af7ee9575c9d50e2bbedec9457f9247655f4455234a2bbc9660f348fca67a3676e |
memory/3956-1807-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bwQe.exe
| MD5 | 0a780fb071d26e2e0e058791b9145c46 |
| SHA1 | 11b70f0ae6bd2a1b1bd721705efd4d00a017d0f3 |
| SHA256 | 6e8369e67cc187038ed3c6e485535b0d4d0bb08d0adaec9b4e60d6a334e692ca |
| SHA512 | 1536b318454bcc20e3abaa54728cb7a9fb0828f5b6bf77377988759a9d80b8546fa65f1edec111bb32f30827ab804ca7dcc11ce5e4da8ffb7dffb3c9b6f92431 |
memory/3756-1822-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pYAS.exe
| MD5 | e342c589ba6049333f87fe1111d238bd |
| SHA1 | 30072bacd57ae298a770075d4168b13db3496e3f |
| SHA256 | 0795e8481ef6e79059bab730d4ce9174b4f3694123306cbe99e40e448cfe9072 |
| SHA512 | ea0c15a3a4d804de9d82ec9b8651ad27d023266d2d2952b8fdeac74f8396f237a6065ea638b75d241a8a04e97f014a8406e85cb36aad98db8caade752c50cc9b |
C:\Users\Admin\AppData\Local\Temp\WskI.exe
| MD5 | aabbf5df9fb685cc2589d59916efe12b |
| SHA1 | 7c2b482e65661f8d7209e7a72b51b6e9b8921dab |
| SHA256 | e729cb0400fee3136c9a4283ce95defab127ad54b7c770af497adab44d0353e4 |
| SHA512 | b7489ec2e98701408351733a2efe603c9b59fd041cd2acdad97f674d8fa85db7413490a93838928b0a58f69f3d67002c0a0ce2479962e22f279a48aa1b8ed988 |
C:\Users\Admin\AppData\Local\Temp\CMAq.exe
| MD5 | 2ca0e84248fc591843cc8c7fc5e02ab9 |
| SHA1 | f6dae66112651a7399e569dabdb5887d522b3a00 |
| SHA256 | d6801c10a133793d78771bcd3e7ac0900d967f8389ccf58f3ae3761d56b8b23c |
| SHA512 | 39481b250d3602b1282f259f67c2b12f22bc6d4394013e11b25d74a7bd947e60d2747f6a370722bd381f3b48b67c366ca37c3d6e887940d9fb63571d568b3da3 |
memory/3756-1873-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zMQK.ico
| MD5 | d07076334c046eb9c4fdf5ec067b2f99 |
| SHA1 | 5d411403fed6aec47f892c4eaa1bafcde56c4ea9 |
| SHA256 | a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86 |
| SHA512 | 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd |
C:\Users\Admin\AppData\Local\Temp\sMoW.exe
| MD5 | b5bf97d4fbcd766877253e092c34cce5 |
| SHA1 | c596284b0fd313a063429a42f56bfcc995e7173b |
| SHA256 | 605519d30a87fa8002076f996247b8797a6b6d3a34a2471ff3f0aca9e1272aa6 |
| SHA512 | 63ef55f1183cff461325a7faa0322e01ccfb6a4ef2307625dc8e7018135c6a922feab1a03e383806a307695f4006ab1bc86eeac988e18bb472fafb0763325047 |
C:\Users\Admin\AppData\Local\Temp\yYAC.exe
| MD5 | ea876eddc79d18f6ce5e39d3126684ae |
| SHA1 | 3f0ac83917602ab7c4fdf939796f543a95425cde |
| SHA256 | f5885fdf444deeff78370b2995a80115418838c7fe37e4a67fd5e6755268754a |
| SHA512 | 7132836a6cd801cb3ffe1a4971b816771384c5186a382a08ba1919a98bacfba9e5736dbd0c8666774f0b919ea55032d04011d09d8224f89858428b98004d4514 |
C:\Users\Admin\AppData\Local\Temp\HUMG.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\LsgI.exe
| MD5 | 4c0b89b62a3b570e37ca78d5237ffb44 |
| SHA1 | 45e887d0880d2f43c63f6283fa18960d4836dfc9 |
| SHA256 | db0618903512016daed67d735b2b8231e66c1e3e7dba4cdc991c59653a234ec9 |
| SHA512 | b07f3616d577c18974c10c5239fc7aa84eb48215a2aff653f8d50e430528c8396496b35ef29620ab1c61a9648c71944a5431b4f45f9013b9583632f070e50874 |
C:\Users\Admin\AppData\Local\Temp\yQIC.exe
| MD5 | 55c25b01176fde9bb665a28b3f1e0cf7 |
| SHA1 | 05e4a19a544f20d374c684642b35182d6b2ba502 |
| SHA256 | 65bbf88953e1cf0f5821705612723bb21fdbed52046556792544c8810dc064b3 |
| SHA512 | 4d54efd083f206dedde6750db54da71ff4b2e16842808470ebc868bbf6ba6bb765806020b80a8b005bf8fa3b44718159535738172f976e6489832198397bb120 |
C:\Users\Admin\AppData\Local\Temp\sAQk.exe
| MD5 | 473398295b1c2210ba6247eda014ab3d |
| SHA1 | 90f1e02db608aea3c4ef5080b2aeda1dc424bcaa |
| SHA256 | 1bd83e2384689817bb5d79b3aa20438e8eabd3a7f7fe0b8dd92520ce800075e4 |
| SHA512 | 3287f89ff0170c1172b7cfc5d176994c43e1f57c14ce9f27925218abe19442504ad400bbaa21141ecbb855c5c0fafff7056d0fcee3a2b761bdf6a5b85975b808 |
memory/1320-1936-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HksE.exe
| MD5 | 72ff2a7f6cabe272c1732dba649070b0 |
| SHA1 | ca62d2e8735c0535b66daa5d07685ced50ed78f2 |
| SHA256 | 0e096be19669d364733565f1ba339b7f91214bbb22cce0e77154edca4809aba7 |
| SHA512 | adb475c1bcd812e34f554d0a963841ba8f214ffbe885c6bf7cb11a8c135eb65fa7694d4e534393ef038356ce10573f926df7d7ec8a03ec4ea0aa0e28c20041f5 |
memory/3304-1966-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hgky.exe
| MD5 | 0ef12f728b961c154b4167dd192f44e9 |
| SHA1 | 6454fe452064498562d829558e9a6c49d2071277 |
| SHA256 | ed8063071c611550a950c3722af62912b7aadf75a1b69e36641a667bddfdd8cb |
| SHA512 | 05cd4e2716848f3b8301e3061e3b9ffd0e8983d211c4e793755531f883e7ff1c4e9f0ca62d474ab99dfcbcfdb440233c19e24307554890a4e6d25323b4f332ee |
memory/236-1985-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3304-1988-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\boMa.exe
| MD5 | 39c2805a769bfaca6c3141ffa209082c |
| SHA1 | b2bf4b1057c0ea27c081494d7a9a264db8ff353a |
| SHA256 | b77c3b0c4178aa678ef4d738a687c0a114ad7047f340f695de70589d0bc0a8b0 |
| SHA512 | 137121861bddd5380d0663ae63d94749a8d32deeea1f499003c1778ad818481f8f6a121255c6a345d682788111d3569e8b8062ee22ee8f5b72348bda4d403a12 |
C:\Users\Admin\AppData\Local\Temp\AocA.exe
| MD5 | 9fc3d17c0b82f0db62bd4ce2864ae5ab |
| SHA1 | ca345af4fb1d17812ccbc0284d1325a40bc0625f |
| SHA256 | fed086cb434cf38d054e2c88b93d7da071eb8f88dbb634889bfe410844a9e683 |
| SHA512 | 7f7b8fbe9c0ea6b8399f5c11ba2b173fa454202cb215192c15ccb6fde0dd64ce9bda4ca0f193011dffa40eedf1cdb3c845bb0843dbc068bfc9e7d97ca0ed0184 |
C:\Users\Admin\AppData\Local\Temp\jQQi.exe
| MD5 | 6ce975d3c656e29efc2e909ce78b966a |
| SHA1 | 1ea2b26e153d24e1b2fa5aee6f713950317a4747 |
| SHA256 | 1a145dad7ce446928bc155f44e296e444f35d6ed0f38cbd0b5597f7d01123c23 |
| SHA512 | 6571cfcba341c80b51c0c606f606f1e5d6c0608d29c1f285c287527a154b085abae93ba92e952f29f00b695cd019bce69eddd96a4b72d7648d7b94140a5775d0 |
memory/236-2038-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JYUk.exe
| MD5 | 06423aa76f644d6b1b7cef901340f327 |
| SHA1 | 1c541257fc51fad02b5842472ed6844388b6a07c |
| SHA256 | 33c4e81ca49a550994f0252d78c86577e6fdc8dbc8959fb75e1ba8b25a4fd018 |
| SHA512 | 67f051cd7eb3ef96dbb31ccc1c2fd6ce8869ad6c10e4dd0534dea1f4d67e216a8207450de356c6e7bd1b71529d38d9c4d5d33e4498c9ca1c3603ff7a19bca007 |
memory/1456-2067-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lsQW.exe
| MD5 | 5e670d48c3546090762c2080d283ffd8 |
| SHA1 | 0455ba44d7192b356700d3caa527d89f984bedf1 |
| SHA256 | 395083e3fc68ac25f361444a35cce151a36f645a3bcb50713ee914bc771ea7f5 |
| SHA512 | 63514e520729b0433f86a66ca7af6226127f7bcac5dffd29493b1d3e674ac8ac80b5a2fe8d56aab8d5981de4c8514070bc46087762e68266b0e4c2c0138d833b |
C:\Users\Admin\AppData\Local\Temp\qAMM.exe
| MD5 | 8aa198117591abae0addec39192db504 |
| SHA1 | 9c48a138590256aaa7326e4bd474feb7c17e7b9c |
| SHA256 | e5207e7621d2b3d8b5c3361915a3b7c51c3062c9e34167674c9e771f1de55e63 |
| SHA512 | c1d72e1b778f008977f0be543598605e888dd0569228005b7473162fa03f2a4c40ef3b87e8775ed662bcf402659f3a4b7b7c5da7749acee13ad4310c66064a0d |
C:\Users\Admin\AppData\Local\Temp\kQEC.exe
| MD5 | e67e3f98c86732052abaedd4cfaf7ddd |
| SHA1 | b4be0d4ea48bcedd0d75bd7afebccc84c5491965 |
| SHA256 | 8c5983f4fcc4a80e75d3961c5aa15db876102e8afd7aaaac9c8813e3caca966a |
| SHA512 | 3410101bb6fdf618115b4a6be45b343fe1d76bad696769cb7a274db3d3b704fb982ed96f3aa304ce14c5a1c1c8951ba8dcd9255b98ad5625daee218c50b3b12f |
C:\Users\Admin\AppData\Local\Temp\hUAk.exe
| MD5 | 4746309eb7d2da1c521269e5ca98d2d3 |
| SHA1 | f91dc710868446e151c22e5d881816bd18a32fd3 |
| SHA256 | 3ac3927a79f555585c3b741aa6a5867e714ce3f517bc050e03f2102378ede2c5 |
| SHA512 | 132e3b89d1750bce7b7913bb9a73948a8d5638da48dc8e186a72310135e56c1c8c145464f93cebdad7abf4393b459b0dcb861306a13947858678de0803dd2661 |
C:\Users\Admin\AppData\Local\Temp\QUQA.exe
| MD5 | fae99a6bab6af5bb5f206a32b6a30b2c |
| SHA1 | 12b182f53485b97a630f2180b5089dce68377347 |
| SHA256 | 525ef2426a24b09027e9384205360f5a7bdcf538ac4a64c42f788705093f4b53 |
| SHA512 | d3e9e422cb9d613c9a3e39631b0cbd89b9f037ed8af998bcdc541a7f3cfafa8ba50fe1615198612d4757a970b28720246805089961a6f3597cc19ff21d9d2c9d |
C:\Users\Admin\AppData\Local\Temp\rcAo.exe
| MD5 | bf0a96eebe28a231ef72f9eb1d899946 |
| SHA1 | 193ab96c869c8811854afc2d52d0857ea15254fc |
| SHA256 | 7db191a0675bd232bdf850f321aa16ba6605a4dc068fd42b36274b0408fa3d29 |
| SHA512 | 4b4ccb1a4ab5ef10bbdd2d9ac7e72d81d6c1bd828a1a2076a7812a7799b145770faf9f15210e89460c3d503ab7938f041e359d2fe8f5aa2fd4fe4c7f6904fb74 |
C:\Users\Admin\AppData\Local\Temp\XYkS.ico
| MD5 | 7ebb1c3b3f5ee39434e36aeb4c07ee8b |
| SHA1 | 7b4e7562e3a12b37862e0d5ecf94581ec130658f |
| SHA256 | be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742 |
| SHA512 | 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6 |
C:\Users\Admin\AppData\Local\Temp\kUIc.exe
| MD5 | 32fe9cad513b48df7eb8cc5bfff86fa8 |
| SHA1 | a723f1a720bf5f9930158d4bc62be011c4e36f03 |
| SHA256 | 5885e9590b990d5b4efc09f6cfbc54ae7424fc5a868026669a23fb0e4f41296c |
| SHA512 | cffa5d48e4d2196b61d2066ac551fb6103020a6398c5fc488cc624adaeaaca29e50f3d09d948d44ee2cae1a4c17d20155179255262e00e4855c12709b3e3a2a0 |
C:\Users\Admin\AppData\Local\Temp\BIYI.exe
| MD5 | 6521a9048c9e9e2bf84b7482bfbf53eb |
| SHA1 | c478ceba35f1dd223e081d14637502e0edf5b8b4 |
| SHA256 | e1e17a503cffdedc8caac646b944dc99265ef83f1ae916bf71b9445f9b5bd0d0 |
| SHA512 | 9f061c88c225e530582bdc66b2e133a1d5f61f8464949e080539f1fe99d8aa756d2e709972a77a19bdd15ac977365a810c97301312faf0963ddbab63b9e65572 |
C:\Users\Admin\AppData\Local\Temp\qUQk.exe
| MD5 | ac71b606f0ae2b59a668a676621e6996 |
| SHA1 | 0fcd42d37f87e2f9c63fae431182b695a8c4791c |
| SHA256 | f328cefa1042c8b7448b7d4bd61c1fd112c1f64a0f894e0b63e5e51a27829eac |
| SHA512 | 68dc28434bd0f000cb1fcf8a66a853d7d2811c5c19e1738f8049d9a57269101a6b1e074430065dc57c8ed251bd01503b63f608ebe1e5b0b735bb1cd211ee3831 |
C:\Users\Admin\AppData\Local\Temp\NUow.exe
| MD5 | d4e98d80978d894cbfab6b2a10c52742 |
| SHA1 | ceae736e0e66c375bd64adac02ecaf17052820e6 |
| SHA256 | 3d584f293f0417d531f45f43eb45d4be3c46c1dafe9a3e9f8cc099c119f7367f |
| SHA512 | 1f679262d25db7d5b225faf1a1f4a715f86810e8bbb64e8ced25f6b8866510cd0c55fb5056384eb38b0ce96862a1e23097457be9698c3c3f136d70347023c4f9 |
C:\Users\Admin\AppData\Local\Temp\MsgG.exe
| MD5 | aa06821926fe95b912372a78e8180bed |
| SHA1 | 42c816c87dace99394299e35c5623e187b27e3a2 |
| SHA256 | 1d34aec384aca642bf8fb86f84fc1567275849c930cb5f4ef753eb48319b2564 |
| SHA512 | c4cd2bc70477632745fad6a80b9f6dd3bcb57309777a0a0eb51a9bfd5c88420ed9cad82ca08092148d6752b5c2f49a243ac7cb68eaa5f292525c1c7bef622572 |
C:\Users\Admin\AppData\Local\Temp\BUIw.exe
| MD5 | 21ab63c960a978118a2464b6f555e6d6 |
| SHA1 | e66723490e658c6fe5362ee17798037196fc7ca1 |
| SHA256 | e75ebc4805b6fc225149d290d05769982b077baf6e9950838894b33430290562 |
| SHA512 | f1a47ebf63d8e6546729f513d30bfb28784a8f0f56a15c9f3f30fe7effd833e1ab84d4a135d7c830e5ef2a7284d1af8d8f4201371a5735b6211b75554d7a79f5 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | aa13232da8b6d58fd6ca184b29c97187 |
| SHA1 | abbd325d866ec15fd36a289fee705e046e977a3e |
| SHA256 | db95b6ac17e399d3b7c24316d64b39bf9211ab70a805706128133e6c03f61f1c |
| SHA512 | b1b40b677df9510cedd27fef568fd4724c5db4155afdb9c3aa0b04233f96ad649d1bc69e75e01c6a5aab75b428c6386165a878b9e94d4f3d0c1f9db10af078fc |