Analysis Overview
SHA256
0280fd3dee9b09cba29de1539dc6d16be55c15b49e7c3f672508f4b4ed8ff6e5
Threat Level: Known bad
The file 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (82) files with added filename extension
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Deletes itself
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-14 14:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 14:29
Reported
2024-11-14 14:31
Platform
win7-20240903-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation | C:\ProgramData\LMkwQUgo\FacosYAw.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\cGAogQQA\wOscQIIA.exe | N/A |
| N/A | N/A | C:\ProgramData\LMkwQUgo\FacosYAw.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wOscQIIA.exe = "C:\\Users\\Admin\\cGAogQQA\\wOscQIIA.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FacosYAw.exe = "C:\\ProgramData\\LMkwQUgo\\FacosYAw.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FacosYAw.exe = "C:\\ProgramData\\LMkwQUgo\\FacosYAw.exe" | C:\ProgramData\LMkwQUgo\FacosYAw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wOscQIIA.exe = "C:\\Users\\Admin\\cGAogQQA\\wOscQIIA.exe" | C:\Users\Admin\cGAogQQA\wOscQIIA.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\ProgramData\LMkwQUgo\FacosYAw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\LMkwQUgo\FacosYAw.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe"
C:\Users\Admin\cGAogQQA\wOscQIIA.exe
"C:\Users\Admin\cGAogQQA\wOscQIIA.exe"
C:\ProgramData\LMkwQUgo\FacosYAw.exe
"C:\ProgramData\LMkwQUgo\FacosYAw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\smcgEMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OYoUsgAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JaQoYcMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgQcIsgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NkwAkkoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\psUUkMkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QswUwwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uaAkYIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wKMwYckU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcccsYQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\deAIUgUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zyYkcsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tyokIIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGYEswso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCcwIwkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\smQYAEgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eSIgwQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKgcIoQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOEUkwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "561917108-2096832744493217214-1024250436552974898-993512805646373543203045447"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "948742961-1568059132-438898342130954552-1643941197-1396835572-9466735061815067714"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dwYQAAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOgoswEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mswMcQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIggQAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5508120691946044753-276461877131364988431829993-12260535622730508411380971199"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uyQwQQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "728322574-37706389718602693514398618631064152577-8788777765622008716241976"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGoYowoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEEYwooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYsIkMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAAkUMMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "47105829759786875-51136067-1835827855-84342590130993899412007701091498080859"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmcYcEgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4588434051402394152-11322477611357818328101469898532042819-752650254659423546"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiUEAkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\omkMwUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1945401875-1662167431712753509-1892434263290185360-1892590640-197620215784656457"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-212346094613184528361356340424394136694652982520-2005611025836915960-1412034002"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xsUIcwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lKkEMAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-439676969-1276073945294637661991753805-1597398329321623354128799232-823728735"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcQgkIgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-28122251658711058997143304-6937522501962301032-1367878458-1118054029259774817"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1430299543-3799936721408981650-747309677517676561-147671654819669813781329831275"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkggoksY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1619840055-2043850748-1558222546720553471523659776-1702167950198701404-1018297663"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUcoMEws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1090591934-12643516417175756276780203206830279821824842111-1484683170-410503899"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-403085340-5981417271023975861-15716871708131309381326864188-771614066-1188171181"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIwcIogI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUwMoMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWEUEYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1635230244-13650543031462688336-1839402961-6687759251672201353219449503296130676"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyMEgQQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1263103069-127760479-9877757531153758160-24465958316534490831756672970278432443"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUIEUsck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-487354076161837532515331823051708642456-1498543885414345742898784834-332828061"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQAwkUII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMkwwIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UKosoEMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1118209165337129555-143004816938472288813647390581584308000-4926034941894405307"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20133229498356756918913287161407753958536214023-1746051655-1881618855750006329"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMIksoQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\USgUEwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6434291481061483456572614373-21330148272100989747127052627818962986811405857037"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tuckoQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "351061186-134205631-10785919771936192575-1814916927-1450080820-1376403783333798402"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "215490740-1547578659-3806828072021859144-548404046460150963-21678665-1259903805"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmokUcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "869777245-2131044923-18294601851982074610-1838738961-2947038851291523153-528111546"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1211057625-4455637481917370562-4745596941373356390365856813-1442350207441379474"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1917495739-28231836-748582919-32342747819989976901617615455-2145667531752656201"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcsQsAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FAwUcUoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-482535155-1714138197-1015380566472416398-392293290-20789828252698084162073112682"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2112359914-1127266063-565945075-897468787193456495429604095315989484041506012324"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qyAUwsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-526880511538369754-4764805025907636961097085091-732744790-1053783101-1574226916"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmogwsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1187567914-49200173749552834573224575-1105463044-102356386918007426202100291010"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "967183856-828934936-255450569-367686812-159357036-1493219841-1299624556-1010740859"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-84563242910744303414722686653089599-1813152357-1953656219-5609070681665668144"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CKkooQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "663609396-206385821-927700481-1711842135-13777538901959272735-20087711411703945333"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sIQIckcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5650977561420162464-187298742144883280225498604416826727581421849178-1218789801"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "46199396318869025651115270729156919810014583990571408170837991628675-523569011"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1152941741-13672903858059800001681596308-64923550572322877613092756911199651275"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwAoUMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "78107292410572061711706027075117320150259947881290141476-113222404-17861874"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15036371614846923632099285032-1956654662-5613432991983955523465953072-1985221204"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rcoswIkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "613851185-13256622041242347059570984671-12046190772042737134-257317527-1207749722"
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2816-0-0x0000000000400000-0x00000000004A8000-memory.dmp
\Users\Admin\cGAogQQA\wOscQIIA.exe
| MD5 | f455e5bb3365bc156c651e9e70213b87 |
| SHA1 | db7175f384c3301848d9c78ce088f0850d85b11e |
| SHA256 | 095e1b392222949fda3b01ac7d002d81a5b9fea72feb1d3eaecba61882243969 |
| SHA512 | 3e9a45f8a823ae068a3d9b9009b2f675ed5f9dd7b2a057c47cae2e164c326796021cf07a1a0a0cec740a51b8fc5f55b4c547297f570b8be70467a576ff04951d |
memory/2660-14-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2816-13-0x00000000003E0000-0x00000000003FD000-memory.dmp
memory/2816-12-0x00000000003E0000-0x00000000003FD000-memory.dmp
C:\ProgramData\LMkwQUgo\FacosYAw.exe
| MD5 | c71b83c1be537993ab0bcaaa1b47c558 |
| SHA1 | c29e592323147e1e4846a513c6c8ac5ce696add6 |
| SHA256 | b1fdd1616e19ed76621ca4e6a43536a5884d5e24539541ba08428c33900bf83c |
| SHA512 | dc2e3a4e0593756fc8cf5310d3dd6781fe5ddec71eeff1ac611992d1525e9b41adc3a82fbbfd264ebf29dc1caff172908edd747685d18fc4e848b2fbc37c9139 |
memory/2780-31-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2816-30-0x00000000003E0000-0x00000000003FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gYoAYkwY.bat
| MD5 | b33b4a27dcf85ae3c886fb804bb54f2c |
| SHA1 | ba2fc9dee5cca5b59ebd5d2fb9eb1df9c4d40386 |
| SHA256 | 1300fa8e050e483cf69b1a6ed31f2cc0f8808f4a161ad274b1bdc140850225c2 |
| SHA512 | 89266a421d8cb5905e9e0a7ba6dec13fe091c2b61e86db2e9c0bb4117ae0f055316bda8698460ca2ce614c65c0c0f4d01d7d34f69618806758cb2307f54378a9 |
C:\Users\Admin\AppData\Local\Temp\smcgEMos.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2816-42-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2532-41-0x0000000000300000-0x00000000003A8000-memory.dmp
memory/2532-33-0x0000000000300000-0x00000000003A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ACMcAckc.bat
| MD5 | 010fe944d39a4693db9fbc66a43c814d |
| SHA1 | 6d2515d2759d34721f0900f9140b29d2c74f4ee7 |
| SHA256 | 1e9214eef0765163f8ba48ac705d934446cccd5c4c6ba989be93fd288a9de3e7 |
| SHA512 | 0f5d723fef75e249454b04198f2c799c78c10fc99111cfd574dbfaac8128b511564b417e5c8656132e745c43cb89073aefdbc2c9aeee1d3f34bbf28c394134a3 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
| MD5 | 8969288f4245120e7c3870287cce0ff3 |
| SHA1 | 1b4605b0e20ceccf91aa278d10e81fad64e24e27 |
| SHA256 | ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73 |
| SHA512 | 9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a |
memory/2604-63-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1104-65-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2220-64-0x0000000000120000-0x00000000001C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vUYQEEQc.bat
| MD5 | 7c6b90a6ec9834280130b6dc48c97cac |
| SHA1 | 5ce2d89cd9c47a51c8abe7aa702f70848f5faed9 |
| SHA256 | f3c06351260fcffb65cc952cd9800eddb4651049956d91e0e3b90f874a5e3300 |
| SHA512 | 99be94576228154947e94c29352a38d156685e5e5ad21ef07c54f395ca76ae28827cce47d7fd7c102699f35daa2de84e3ac0dc60946e6653d62f6ee93a3064a7 |
memory/1708-79-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2024-78-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1104-88-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RuYgksIw.bat
| MD5 | feebc354a5ccf28a28ecdd854b76a947 |
| SHA1 | 0605345b33c836eade27c3f6dcb4f57ca12cff69 |
| SHA256 | e96c4e20ffacd9f6eaa5a9b8ce9af8471d2c8605b1ef4ed26249cc48f686f995 |
| SHA512 | 56cbb5d1e855846434feb405ac80cc3d2c2f92ace52cfd8fe44ff9cfbeb5cde2a73156a2a1e99cc1f137e3d190d5f8b4a7843b3eaf32ed3117a5aa39cc2c163b |
memory/236-102-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1708-111-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/856-101-0x0000000000360000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jyoEUUos.bat
| MD5 | 924b4230991e80b36ff9718742489521 |
| SHA1 | 2b954f2485ff2345537809064e4d1b41ee101535 |
| SHA256 | 970ed7a136c56cd5afdca59f339f1e684009b69f40b0a3e6cb60426bc3db4ac6 |
| SHA512 | 32976785d986cefbc31641fbaef11c2fc7f04db64df85a842ac2784e5b9e9a5001da6a27c164304f1f5b66e3672448b45c86394cd391910ccea21b8742d2b3c1 |
memory/932-126-0x0000000000420000-0x00000000004C8000-memory.dmp
memory/932-125-0x0000000000420000-0x00000000004C8000-memory.dmp
memory/1988-127-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/236-135-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hSgIgksA.bat
| MD5 | ba16e6a76414ef5cff5f010ec5e24dd6 |
| SHA1 | a88b4e1bc54dda7c0e52728173792424f52ed335 |
| SHA256 | ed3d4c7625b23579ab6fcb6d2b4b9dc1949e8f9063eee30df31fe6ef418d71bb |
| SHA512 | 9d7975cfb87fb31602d09959827970e936277f370dd0cf6dbe11f8f12d58695ba689894c2a5f7aae514f1039196a21c60ac6caa8cb69ed0a82b049e4e20d0109 |
memory/2896-157-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2668-158-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1988-156-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MooAEwQs.bat
| MD5 | 2486d9018d816991354e646cb4ac62a7 |
| SHA1 | 53e536f6eee532adaef270672f82274e657a4bd2 |
| SHA256 | 962379c6cc73389d928d829ad0a8ddd6cf8ad0fa682b7309c0dd35a1cd158794 |
| SHA512 | 4321d21d7a1380c35d27dc402e2dd5782e1250e75720dcd149d80ac2432a7cd8bcbda793ba744e89efb6421b53d22aec8caddb9a5267c5f0776bfa838d7f2548 |
memory/2668-181-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/532-171-0x0000000002250000-0x00000000022F8000-memory.dmp
memory/264-172-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AWMwEYgs.bat
| MD5 | c4bbd72995a84fc5177a7a3f9f311495 |
| SHA1 | 5d8008c408cea4dd046f2cae2f74766f7f01bdf6 |
| SHA256 | f31a4e9d06919e425480805d877d06c5b248aec4bb16d1b9f668074d9ffd388e |
| SHA512 | 39018248197e3e521cea761e47949c5d4804f3c5389431e6f396fc41b92d373f766e7e4d17aefd831181c58ca97b8c5c826141b6245c12b29febf8199d5b9c44 |
memory/1544-194-0x0000000002300000-0x00000000023A8000-memory.dmp
memory/1140-195-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/264-204-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AsYIMcEY.bat
| MD5 | e2609434877c27247406120d315dcaeb |
| SHA1 | ab57085f77603b615c767c638d677a90684e66f3 |
| SHA256 | 7e68926810e099ff9542c6154f9fccce8e1f21455f32e69ce9f96ac7bcfc8bd1 |
| SHA512 | ab53455d3153cee53bbc00fca33b43c8e910c7bf836050555c202778db2651ba86c5d25160c0495699e6284a77fafdb4da037d2ad714fbd0f2d26c1e18f724fe |
memory/1140-225-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1932-226-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aqQAYQQc.bat
| MD5 | fbcbd70318c8560eefb8557bfdfb5086 |
| SHA1 | ad00118edfcdbecbb20ebc4ff7b3850a95456ee8 |
| SHA256 | a874fbfcb29cd2140589ae548825bd2ed8a7356de74eaa8936870181a327e113 |
| SHA512 | 86f9b0083bc9cc714e4194c8499517b994ba0d6a939f3dcbcc1a917f5dc7d9fc706fcba75f055d6cfc6b7fa327f75b56776a0e3c3d41db0fd29be04455424a40 |
memory/916-246-0x0000000000160000-0x0000000000208000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PAkEEUkQ.bat
| MD5 | 9349575a66d4a65723e28f19ffbae75a |
| SHA1 | db7b6549c6052aeaa8c67c4b9114e2cb69e027da |
| SHA256 | 98e33da9e0f39cbf63161422ef22a23db97f1ded54d98a5a61be470edeac8d3d |
| SHA512 | da0b49b55051f7549d9e3066849d61f37234fc9699324ef7bbbcd3d7dc9b3eb4ebb04c4f9a78909b1b65e6e7e31771507decc56fd9a1ec9f26414c35b30c82aa |
memory/2152-270-0x0000000000360000-0x0000000000408000-memory.dmp
memory/2236-269-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1900-268-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xCgkYgcE.bat
| MD5 | ed1ceafab396dd03e88986b66ed6fc69 |
| SHA1 | 2d25dedef9447e48bdf0484506b5af9c05576cf4 |
| SHA256 | 832ccc85dc8ca597af06ef91238b0739fe0187e5a35ab7d26a560d63ad2a00af |
| SHA512 | 958099eb82def7e32b319c89a913b055173eab070e402c10fbbb39e3ca77f2ae7998720884597482ddf9357038e46231f55fb7251bbd6f7dae9dff12c1f7ada7 |
memory/1520-284-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2808-283-0x0000000000190000-0x0000000000238000-memory.dmp
memory/2236-293-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rSIQwAQk.bat
| MD5 | a092d6cd99b1436686877978ad70db72 |
| SHA1 | 27545de09a662a8cbd4c9f6f717c8f704183f479 |
| SHA256 | 983e2ab745876ec33649604bfe0426f9cc1bd2a5fad3f0600dc7547dbeba5a64 |
| SHA512 | d210fc69965dbeb85b4a51cdaff9d247ff5989e08d55cc856aaa9d71c4bdba4099519d062c14eb28c3c6be15e808f4cd919eb975185baabb31615bac9c062bbd |
memory/2560-306-0x0000000000940000-0x00000000009E8000-memory.dmp
memory/1828-307-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1520-316-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vaEkkwUM.bat
| MD5 | a42550f7fe46f5643af2362bfd3b90da |
| SHA1 | 16e11143e7150740fb22f65d9c5dcfcee6d1d890 |
| SHA256 | 5f6b2fadbad384cfe70e73a6e306610477f5b81d9906a3743b7f2d64bb8bd403 |
| SHA512 | b1bb8858088f4cea957a9270204f7f2d42d51e4120cbd53878112c8baaa610f92d0d1c7262e2358784d0e8b3dc9036129ec78813620970652265b01322f98589 |
memory/1828-337-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2516-338-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msIsEAsw.bat
| MD5 | 43dec88c345a5e28428e5038f35e518c |
| SHA1 | 8fb019c3c6173d383af364eac0286aff4b526a45 |
| SHA256 | f7bd6afe28b5a6c4a0d75cc6b6eb308e4299d5f27a71af8d0ec696b9b39c073f |
| SHA512 | 87c2b453dc032bb87e169c408fa2dbb784bf4e6aec81a698e5ec6cbdb008fee6249a89972ba9b632b7c35703d1b3246dd5e96a233c1d21eb845d78d5b5f6078e |
memory/2232-361-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2792-360-0x00000000023B0000-0x0000000002458000-memory.dmp
memory/2516-359-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CUkkUoAU.bat
| MD5 | 566d8563cbaa347729ba4911d112eb5e |
| SHA1 | 038e1373f3a5aed6c2da5ed4c38fffb6b2082e9b |
| SHA256 | dedc3f0033907ecca77345c25c8a197ddef3ae733cbb332f5426ee75a65c63a5 |
| SHA512 | 5036a5612a7c10bb9824d1ac9a0fcb74da50a4e310c99ac43ab8eeeafb524b7f1be81ae19e76969024319f126e2a97eefbd05c460fc02df7b59f4e1da61c6d6d |
memory/1652-375-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2976-374-0x00000000023E0000-0x0000000002488000-memory.dmp
memory/2232-384-0x0000000000400000-0x00000000004A8000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
C:\Users\Admin\AppData\Local\Temp\KwAi.exe
| MD5 | 83febf6160da1dfbeca12fbcb7f155fd |
| SHA1 | 534ef894c49890a59d4e1969bbcba71764395111 |
| SHA256 | 60097afef5a5348a13d00cc5212c02d3c1988e9c928649d49bfb5d0704c09724 |
| SHA512 | fc3cf1a59bcb90cacb208ec698af4516c927e43875bcd723f8550f78a88ee82ed5c90c7470a3bc94e64523ecb9f9ddc7d4f81b3c80c9a78026092f889baafb28 |
C:\Users\Admin\AppData\Local\Temp\qUowAkcE.bat
| MD5 | 36c94bc742ff76151ca6e89390a01b75 |
| SHA1 | 3d9c6fdbfac7ec0c733568089d5252244775da3c |
| SHA256 | b277ae0137d4228a659436414d9083d75ac37d846d11fa3efd4d249561a41a95 |
| SHA512 | 9f20f31b50273619e3909f7abebbaebcc76ddf004b6182f36f8f2ad09a3c3ceb8b0bea952e1f7e57127afd7796c9346cb83a4e29922b7a3ae923d1d6d3f12f73 |
memory/1652-428-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OUsm.exe
| MD5 | d19fc25ea1fa3295c3701c670021a2fe |
| SHA1 | 4b1ba019781e540fc7aa16308c9a99487d6e754c |
| SHA256 | c1809b4bbcd81f67b3166c030aa94c1235c91acc069e21a4f9131842a4c95c6c |
| SHA512 | 2dd03efaf41617d58151e460a6eb1da270fd4a32433d2855eee2770cdeaf73416c6b325da2133c88e577b00c77e8cf66dc3a9930203726bf95cb085d28c01bea |
memory/2140-433-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AAkY.exe
| MD5 | b676a2776c26ed8917b1bf8740b5ba23 |
| SHA1 | c01265f41745d84f3547190c85aa53ac6d2b19ef |
| SHA256 | 36fd4cc06b2d59d665501d4b9dfbd0b4470de3b24bff51b3773244895e174950 |
| SHA512 | 7795e089c77d730efeece9555a4200be7ec505fdea75a9c1c98efe1f070c45eaf0b5ffc59edf87248d36b52da53c201123673ce125e3df773bdaf8fd1e55859b |
C:\Users\Admin\AppData\Local\Temp\qEkq.exe
| MD5 | f4a7b55b0c7f5202efd90711be00de32 |
| SHA1 | 23161305367397a0aa6e8bf23e5fdbaf507e68d2 |
| SHA256 | 72c9c076b9aa8046de1a0f0d2b2735ee55112903c9d07c1329c625ed90661b41 |
| SHA512 | e892e273077e88dc95d2d821dc231cfbd16f7abde80157c026c33b32a1570f51b23f5791f899646679f02278f44d524b24fe96d4791b46b53c98dbc359bb46cf |
C:\Users\Admin\AppData\Local\Temp\uAgy.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\zCIgUMEE.bat
| MD5 | ae125a949f6c96d98864daea0b25e7f9 |
| SHA1 | c3d2942cafc1fd36ba8d5cd14f15d4ced5e36cab |
| SHA256 | 1e25a6d6642ac27232edc9ed325eb99918d8cd8c529687c6c0e4232b2b625f5d |
| SHA512 | d5f4f255bc492d5e6c0ff5f87c770c4e87bd7bf2344cd1c66de863f5bd85335f0dc80da90c44ba6581fd2bf971966216490d481ee486c69e3635c01ab51f8ed2 |
C:\Users\Admin\AppData\Local\Temp\SkkO.exe
| MD5 | 4391cda063eca5d815ecf1da50bfcb19 |
| SHA1 | 330720b9ee8a79e5f61c662b409e6ba79a7343c4 |
| SHA256 | c3eaac2bbb2ad807cd92579d061181903db69ee2dd27a09139a9747c005c7b9a |
| SHA512 | 8719677fc080691b74807ae783a93eb0cf1fa9080738fd150db352180e0e46fb068b7237642061dc532d8f2f0d1f76a6f8d41806330493dcb5428426750c8e2c |
memory/1852-499-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ysAm.exe
| MD5 | c2ff8454ce945d7e9552a61f472f757e |
| SHA1 | 55531c2d26830a7a0f1bb6d0a62b77cea2b1e07d |
| SHA256 | 7e5fccc7aabad97dfdbe4da9bc24981d19087bb28f48179c542d1b29efc98043 |
| SHA512 | d087a40e85e8c9c832e917ad13acf9d8c4be76a30f78a40db725ab897179d0e0447401b50f7665e2826532363b333400d4b09095535b4094da6ac7e3fd0c3dee |
C:\Users\Admin\AppData\Local\Temp\CQEU.exe
| MD5 | 59a8ba3c0ae6ed8d452a66cb0d423f22 |
| SHA1 | 0a58ad54ce51d5297518620a13364ad7a9df09f2 |
| SHA256 | a5c11641136f89e20e4145566ec7cda016f4a0dcc8a5c25f4e13b753159803f1 |
| SHA512 | e7ed6ec4de2bcc4c507a55f41a2d99a46e61fd577ce8cf7923ad8adb91ac9a1fe4afa3d5eef452dd78fd66af77620fae445bc8243e8e6b11a2820b9c6ce69339 |
memory/1520-498-0x00000000004B0000-0x0000000000558000-memory.dmp
memory/2140-497-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oUEK.exe
| MD5 | 8f377c3d17611555f5a4f61fea7641cc |
| SHA1 | 143080c4982c495494c4bc659a4e9d363ca9ac1a |
| SHA256 | f8a4f36f6afad3afbd7bc69d200a2dd9b95dd76ab9a8bc5b3574fa1323f94f62 |
| SHA512 | 1be166f0cae36abe888824998e0732cb80b10360a9453c585c19699107ece8a58e87c13c4677124ba555858392561e4610659b89d0f2035a09479147e72d7502 |
C:\Users\Admin\AppData\Local\Temp\FqoAYoAk.bat
| MD5 | 75f34cb60bf851aa06ba892befd4a58b |
| SHA1 | 3412d58e1216a6592751177e2f0bf8898271405c |
| SHA256 | fbff2b3aa4a3c799eec2cc884bfb45ecfc04e8af927edb238ee3bc3170f4aa68 |
| SHA512 | cea95f460364258c4443cc976e5f89dafc7b73c78c9a2af12a1562d88487907fb0a784ec6d7c6f4c0c3216a8c8bb3d27bfea82a446ed031ddddefe999275f520 |
memory/2800-550-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gMYg.exe
| MD5 | 28ce33f9d119b517dde83a558971bba2 |
| SHA1 | 990c922b506c18a2a8327f526d6dae3b7f5007fa |
| SHA256 | 5faca6ab5f5733982919595897f1c0e3480083ddf2a88f937c7bcb13635d1a81 |
| SHA512 | 46889f7b30755d8270d4a1006547288de0d28c56c19aca431f191ebd33dafc39666046700d87344af8161badfc3c0b7310faec556ae29beecbd59d2f0c443c35 |
memory/1852-572-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kYoI.exe
| MD5 | 8ff38379a5913177d26a551f6b4a9ad1 |
| SHA1 | 8e731b087be33b8c396c6c6899182fe3f107adcc |
| SHA256 | 8af2b588aee26897cba26d731a652d1618f32b57c91b41f711435063591effcc |
| SHA512 | b137aeb0f02c299e227ef22796d04e6462fe2be27d21e6c1976878eae921f41baba72e772506e2f2d00452b7a83dd8d5fe253c41900588a92954cf1257cd08ef |
C:\Users\Admin\AppData\Local\Temp\aUQw.exe
| MD5 | c103293c99a0f637d1429314e07697a6 |
| SHA1 | 15e9c43bf3aa87d1bdd743ba7970efe7ff3c9600 |
| SHA256 | 99c8b3918bdedb8abe12b312b77cd468a7cdb34de86459ab415cfe189f74a962 |
| SHA512 | 4989257a4fb410f8b8c55d084d36dd2469001b047cbdfded7157375666511217c9fe77db7f0487dd5ceb636ce7a5ba78ccaf2f64d698d2a654bb74d51cf12ce5 |
C:\Users\Admin\AppData\Local\Temp\kwIQ.exe
| MD5 | 2293583f006ed3428eebf336b3a0c0b4 |
| SHA1 | 91c72eeb9a11e101e9d0e3b9aef716c4e70e1135 |
| SHA256 | 8af2159b3b79db60f94bdc93caab4da41022a700701d46de959aa0ebbfbbc621 |
| SHA512 | b1309b318954b673cea3155a228034ba3e3f3f7860eba8ce4624d95699c1563315ca1b2bd3abfec067f62d4373a8be87752b41f42e234dc690cbf3e0d144e63a |
C:\Users\Admin\AppData\Local\Temp\ogEg.exe
| MD5 | 18aa482f020d01c5fe0a534b332804ac |
| SHA1 | 7b365ab52bee180b828acd7b563c4aaf6214732a |
| SHA256 | 77d3c6ef34bc66e6270cd8cef6a5f9f27bf875ba4c49e991e752822abdaa7dc3 |
| SHA512 | 7cc0e052c662d57c283569acffe60b21208c4f3ac2fbfc6e3bcf1042ce8d423898d744b3173d95362937467482f682c9baf9849cc5468f2668f5360f6e34e5cb |
C:\Users\Admin\AppData\Local\Temp\IgIw.exe
| MD5 | dcea9e249e283081f45dc3de772a9306 |
| SHA1 | 0c96ad0d72b15a7c976bc6f969bf2edac01de7c0 |
| SHA256 | ec8c92d7e44313684a261f2d7f6df71d91e26b3a2d7fc94ec425fd601ebdea91 |
| SHA512 | 068b262d93976f08dd090d61950e814dc54b2eb2ce6170137b9c34fd397fc73d6d5a739d606198a59c7528ba8be1b074d9b9f60874fab6eaf4b7510d58e68f8a |
C:\Users\Admin\AppData\Local\Temp\DiMIQcMs.bat
| MD5 | b5993201ab76e898e1cbd490769d8647 |
| SHA1 | 4a94a46b1dd827a6f1828aa37f8b2decb7a8ea93 |
| SHA256 | 10f35dc842d0f824b0a19342046f6c723639a8253d392b3e4a673646470ae43d |
| SHA512 | b0ecc870640cd34ef61f85fe878c2c9b36b414c1fd0923099452511e5d52103056dd6cddcc0ca5abdbf43a11ec938b2b351350dfc99d16728084ae8efb6bb51c |
memory/2976-659-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uYQo.exe
| MD5 | 8e6fdccf86aa2b608943c21dba24d90b |
| SHA1 | 636c6f5487c21a35f3a4a568e5e284fd4d6cb6ba |
| SHA256 | a6bc9247909910b0d82dd840cd9762cac0a3d48174f2248f00e054af1d9d9e4c |
| SHA512 | dcfec06b0bca936d78f3b1e16ba0411e558d7be9500e581b869621e9b330decfe4ebbf0b2ac857ff2da8ddd12d4b6eb638f27708754fce5aa7ebc19b1598a9fb |
memory/2800-681-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wUco.exe
| MD5 | bae4cd829f37dca76a4a05a3df9ac552 |
| SHA1 | 863b26a05b446568616a259e288ff16efce7f700 |
| SHA256 | b0762fd69198b24441e67dcb512e73db581aabf04d1fc125398caebef593c89b |
| SHA512 | 555305f2921c96c8351e9f4be387209e33275e49ce21498f13a03d8db33a078cbf6dba17d3c34bedf784f9262b956d520f0de397062b5d51cc9f11e8364b7e50 |
C:\Users\Admin\AppData\Local\Temp\GEMS.exe
| MD5 | edf1f901fa09c472ad442dd678f6ce28 |
| SHA1 | 8ddbac0cb7f394050bb10ab6ba2ea8e76d7ec9b6 |
| SHA256 | f1a256e2b4bcdffa7d0a608156f8d7bbfdf9956c4e92f4a0bd07b12f75154a55 |
| SHA512 | db68334d55f6e55167f04365b16f98314fce7fd123349abf329fc0fcafa9ec3e1effef09927133a8acac3533d4a13a646b6ee5e757b32025fda39319d5cbcf5f |
C:\Users\Admin\AppData\Local\Temp\Akok.exe
| MD5 | 176ad1a391794130250c866fe8ea2b13 |
| SHA1 | 7c9e5d9466058e87bf85ec3b889a7e40d8e32d5e |
| SHA256 | 0821144b379997c3cfebf34677c1067eb12ff0012d3dcaa8f268a8425c15b64b |
| SHA512 | b52240c6ee39a89fe1fe1dcd13656af60ff3e52742f656f5be568372842a1acf1e1f2b1b3eb28cc8524f74de2ee274383616f86d9cd1b65f0b7dc65be66cc6ec |
C:\Users\Admin\AppData\Local\Temp\cosW.exe
| MD5 | c3c77a8509deeb9f4ee805f066a2ec40 |
| SHA1 | dd0708ce48f65708acc88dee430904b60ea7a231 |
| SHA256 | a292c32d5ac050cf10d9f5a4a3958ecae5b0b1acaba813e0d39aa2cc4d53cf0a |
| SHA512 | 9013fbdbaea1efe77b4cb1901dd13a256d6d3878db7eb2d972e305101d60f0f1a3e19946ec188e2b55ea6fc2e9da98c3c50306fa61991ee933ab2f750710443d |
C:\Users\Admin\AppData\Local\Temp\aIIg.exe
| MD5 | f733c3d8ae2cb45ab128c9e60d3383ed |
| SHA1 | c5cd8b4f0e4e6f7c4a9f3d14b7ce252ee7fccabb |
| SHA256 | dc639d59d5e329bb7700af3c32e92ef227aaeedd13ceb63a195f444732d5a281 |
| SHA512 | 408197204119a79ac46863fe5b2dc31b0c5a6453440ce5274c0fc66a928f760a6558b0cfa493fb528a0c091c6578d4279bcbdb760a61812ff98824cf5b6320df |
C:\Users\Admin\AppData\Local\Temp\PGkUYUQM.bat
| MD5 | 4d4aa5e786602a1fcaebc4d1212abec9 |
| SHA1 | d44753364c0ffdc7bc627f31529dbdf6136cf17b |
| SHA256 | 041c4367ab12c2e5e9e8e21ed58b4c869c4f4062392527a4a2d298a5845caea1 |
| SHA512 | 4ccb9e95cc9ed84a407d1cc5ac06a8a2404dc643e6454b8c7b05c33da047a1ae00cbd3db89441b6d9c9229bbdea8dba5d398fc017fd2c78b1f71bd4196997911 |
C:\Users\Admin\AppData\Local\Temp\QcoI.exe
| MD5 | a3b0f4b2373a63d446315a416e1a1193 |
| SHA1 | 0917e629e9c06a310bdb3cf53a096e076a35f5f5 |
| SHA256 | 1c166fe7b26d52535d96fd31de5f2430bec22d11a159056b4b39ef619142dbf9 |
| SHA512 | 12862f1709935d1d526cc17462d7eab47f70a8be7f6b0f36ad91c26420b63c5c4457344392f5c347b4319094bf707ec9bedb9046636dbf25750807efae509365 |
C:\Users\Admin\AppData\Local\Temp\cYgM.exe
| MD5 | 647916f970f2985632be91e6b08176a4 |
| SHA1 | a67e1dca28b1aa6674ae6b595d6ea31a52b901d7 |
| SHA256 | 1f51a926497f23b13343c1a4d2bd234b677978718efb365fc9d8610b7ec0b26f |
| SHA512 | e74742f06679d11e5dc71ae3422be089d7ea6440a03adddec79cf49dc43d620da5b82c0ae9c8012acd604929f829797bcac39aa522085aae601f5904e4464ed5 |
C:\Users\Admin\AppData\Local\Temp\UwEg.exe
| MD5 | 17a8d8a8eff762d67dfaca6c54527ee8 |
| SHA1 | f3a5e1cc08cfaa92cf23cac9dfc5c2e890060e75 |
| SHA256 | 2a96918d1a632317dbaf5fe05372169c3d91326177941ac974285fb6b1544d21 |
| SHA512 | d329e76c288efdedd5e3f23191d51d83e679dc985d6df1c49d093da17e2c28b679c4bb9de6f4b493d87acdd3bd7a41129595a2fcc3f6bd31724a680fdcb8e6fc |
memory/2976-803-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qQMq.exe
| MD5 | 15519f668b2c57a2565c12784363a522 |
| SHA1 | f7edfe96271be8c55e8b68e5d6e7c43b43b99c41 |
| SHA256 | 614fd6bb7d64b5e544cce3858deeec4dbf7fe0a19654536492f70465989b5a85 |
| SHA512 | 72c169ccc565c9ec6a42c654359267b8bac99cb62061a167399c798fee0c6bec397164838bc34af918e4be4c460c33af4ab3a184877b3bcd578ff53c99c13e6c |
C:\Users\Admin\AppData\Local\Temp\woIC.exe
| MD5 | 0fabf04b55cb2c562c9cbc4f84b09c28 |
| SHA1 | 016958c4f1c1933c8bceec637389b2c14ceadfab |
| SHA256 | 5e9ff686e6ffafd36d04828733ddea0306a75f8899755dac3fc97deb764e2e30 |
| SHA512 | e41b7b2beba5dc223ce467abaf9ea829332e39de19f3b7bf0862978597968801f74091499af4366048cdb1ec2adf15900ee9639495d17c086ae429361021834c |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
| MD5 | 5e1a27683d428bf9bbe8d26f4dc62808 |
| SHA1 | f1cc36c27a150adcdf680ae7fab0ee2959ccdf7f |
| SHA256 | e85cbe25feb4ba3e4399ccf13c80af484855957ab4707d8fe19ac0ec7fa10c31 |
| SHA512 | e92b6e3c15175fe1779848c66a0547fd5eefbea31027d9a6d7abc27e28ad87979743bbfd6859117430e9e5bc598f1967c8d12aeede3ea589aea9395d5a90aa2a |
C:\Users\Admin\AppData\Local\Temp\GUYccooU.bat
| MD5 | 35a537ea1eacfa5a004fa568468af0b1 |
| SHA1 | cab0e4b1f4f5e28fe33f69fcd7e370dda88bf1bb |
| SHA256 | 6af0b3021291bb65ecd5b58b2a722667d11c9307af46e0b67171f19358087ffa |
| SHA512 | 74771270f015ba5bf899f46375b031679da24e798e093d62e4a36143ecd8827513360da9615d9d39eabbb49f436ce843450fab453611827c1060a91361201636 |
memory/1884-866-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/904-865-0x0000000000120000-0x00000000001C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GksY.exe
| MD5 | 5403de3ab4f95eabaeeaf02ce2e9ae8a |
| SHA1 | 1bc2449f07eb271d494021aee0f4bdced6b55dcb |
| SHA256 | 4ae31dfd46f51fc5dde621954fa5dca503fb3416eec5cab4b668980754542a1e |
| SHA512 | eefb601cf19ae3280d747a561972929021b4740389358faab42ba6a336101ba8a523d64e04e0ded70b1f0199bcd64c2430b88adef8d1a188286f94398ac87b8f |
memory/2764-888-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GMwg.exe
| MD5 | 2debe83fa6000de52f124e9502278378 |
| SHA1 | fc58d4016d1ac83819ae39324a862c5c89e095fa |
| SHA256 | ff451ec044ad1b8fbd60c7480fa8028242249c57aea3e38683733855ac82bcf5 |
| SHA512 | dcdc3554611accd73b786f3cf5ee9a6073dc457bfb2efa204df6ac98a67c6af3ac344c5bd7dcbcbbb0412b0dba8b27cf2b39607de6fb21aef3d501d29d23a461 |
C:\Users\Admin\AppData\Local\Temp\wkcS.exe
| MD5 | cc20d327ad385acba7fb0e7cc2bb0088 |
| SHA1 | 7bad8e5a7455bbeec0f847527927903b7d15ba66 |
| SHA256 | fcc3f4d99fb357f54abe5ca6b7ae847552bb254ceb92cc3d64216cdfdd13d770 |
| SHA512 | 11ad61b19b704206c56b3c6e7d3fbbd6163c76dbedb636275ac0edad0d0a9c8b275995951b8ce2201fa8c0c7f2aa35c70b946d7cf5c76df6cc8d4989c5c6f323 |
C:\Users\Admin\AppData\Local\Temp\GMMa.exe
| MD5 | e5eef40b6b0fcdd932e6f4303bc4804c |
| SHA1 | 6ceb76c80f1c67f3584f42d5fadbce154bdd4524 |
| SHA256 | 1165b2d1cd12dfa9848c2d62e9ac4f56d7bd3ae5916c8eddfdb35fbd0b95d109 |
| SHA512 | 414178f670f7a67e74aff80fb350364ca4c60bf0945d660d235bfaade9de16e4c39620ecc880cef05193e5d2b4ea4d36510e94b64d9e701ce943c77e38080762 |
C:\Users\Admin\AppData\Local\Temp\IQEO.exe
| MD5 | 2fa69358a7c2ba3ccf799cb536482e22 |
| SHA1 | 72ee8123312bcc36c765819f0c1495c6979fd8e6 |
| SHA256 | d10316c7c76c30de67bbe67cd433408ba40470d0c241f1250b565ef9d5ea9c35 |
| SHA512 | c3946b2abbcd72a96aa1ba09d04ea3bbdb286ec27b91323278d3e2fc0e3e1463c08dcefac3693ab2d715d10c5bdd30f938e87daedc06e3945f53e1195458743f |
C:\Users\Admin\AppData\Local\Temp\UkIi.exe
| MD5 | 4cd4d1c26acfdffc941e262ba8132350 |
| SHA1 | bc27ae37084301606819c1b76f07db9e8f203a0a |
| SHA256 | ef3a4d0fa0061b9043daf394ae6912c19261bc0fd5258187c08e64104feb140d |
| SHA512 | dd85386507bd2ace8871e9e3972c3555c7c9906bc231a0915bf793ec0b059c4760f5fb0c45410908166b7f1d7d49f9e1bb8de52d2572fb9e10fb0c53e895609d |
C:\Users\Admin\AppData\Local\Temp\cWswEwQE.bat
| MD5 | b1a07a7e1be45d15c47af171665e35cf |
| SHA1 | 9cf779333932722b9243535c442af6cb8a07234f |
| SHA256 | 0393bab8d26ddbe496d56fa3b557d52ceaf3d0ec4d0c9816cbddb5ab8055cf75 |
| SHA512 | 6762ce80a559f65b1e3e7403b58b3137cf2cba0c11bc4e73041125125a01860bb3db49946cb2d605927b1b3281b285c0cbf872b1fd84eead4b206643dd5fd278 |
C:\Users\Admin\AppData\Local\Temp\kMYC.exe
| MD5 | ee5c11974c333dadd941aa5ae07562ef |
| SHA1 | a642521ce288f806c0cabf9db83fb5f8488335e9 |
| SHA256 | 49a2f0a718daa948829219c7cecc6df81e3e01ab3e7fa50dca6af3b051c83f40 |
| SHA512 | 17f9dac4e7c83c0c5792a2a572070ad595f96aa6dd542e776770064cd2d164c9713ca724874b578ad127a7543bc3ab6ccb4a74bdc228691279a3d8ad29ceceff |
memory/1884-983-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1704-984-0x0000000002310000-0x00000000023B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kUwk.exe
| MD5 | b54cf81abed5e86c8b518dfe4eff003f |
| SHA1 | 8e8a746b846b0fc8f668296fecc2827b6acbf5b4 |
| SHA256 | 1dfaf1662382b8b03023ea0b6939572b82e11824a48e90f7c3aa5956b03390f0 |
| SHA512 | 26864ee054d166580fa01a2f440101cc9125ed8cb308db709183802fc41b6d9c92e8e4858aa902010093ad3c9b6aa378f6407e33c456e351248495050572cb5c |
memory/2388-986-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1704-985-0x0000000002310000-0x00000000023B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wMUW.exe
| MD5 | e18cd8aec40daf626a0b4e87430dbc77 |
| SHA1 | 97d20acb4d62c7dfc6aff3d9409e9a0b92d0602a |
| SHA256 | ad0138eff1492ec747878f7e8a9e8dfd170ccc0be366272c1f3922ffef421427 |
| SHA512 | 41d976178484de0d7762d053db93a52420cf28c93aee185e7045cdf49cfc9c27e6d53630244d36b3199255b829b93b3d21e90e51036c9e8f99dd8dea435bb9a9 |
C:\Users\Admin\AppData\Local\Temp\kEgw.exe
| MD5 | be41635b82a1f645e7aaa332cfc134da |
| SHA1 | bd33bc9c42b184cdae2b1e531685915dd01e869b |
| SHA256 | 7c53c768f11be63ffa6e7a599e0b79481f9a69cdb0cf02d5d42722d6e270ee82 |
| SHA512 | 2e30300ebf820652cc7fd9cfd1dedb81edc779ab57689f17a32443743c690dbee801b9137abc6656842360b37f156fa762c152f803973b44f30bdbb8a285ea7c |
C:\Users\Admin\AppData\Local\Temp\GsYi.exe
| MD5 | 74738fbceed4aa628601d2bfb8a0d66b |
| SHA1 | 6cad6cfe67faaa57383c41f367e6409ca4c6956e |
| SHA256 | 8cae6e183062d2500f8b37cbd426791e9b8cc67e74ebc6cd39bf0b877d422c09 |
| SHA512 | c5a90afcf862152cc5a80b48d9a27c75ab7c159ecd163c4fecb8351a66c58ee3d4c3b9515ef76502a305575c7dc7b99c5dee592785eb12af27d9aa194040a111 |
C:\Users\Admin\AppData\Local\Temp\aUwS.exe
| MD5 | 6477954424a63a4b1110182c05d59590 |
| SHA1 | dea4381040b43015bc4e51840406a1502b7fce75 |
| SHA256 | d9414cd6213d4acdb1d4f8c022342a610deb3d1b667da5a887f4f87a2ddc67f7 |
| SHA512 | 4acb1965c1f484a7b753f17345c0985205ebab209eaac010c01b05c1ee032101c8ca218b4cc5eff1c73e5ef4d5f084d1aca87ba7ba7b2052ae71146a51d4b3a4 |
C:\Users\Admin\AppData\Local\Temp\MKcEogsc.bat
| MD5 | 48c423c165e85d7aefcf7a1e7e9d7a23 |
| SHA1 | 01cdadf09c562f856888280691e002dd3d9aa817 |
| SHA256 | d5afd8e7e2fd56a3089722258d4b372046e707b84da11ef0483d44753469019a |
| SHA512 | b218ea78ec516219883274b92256d827c34b3924b7b74e1f4c335aa2bd969ae7a3bf93185f18548e95a37e24de90c5b1d38ed8fb6749b547fbbb191fefa53deb |
C:\Users\Admin\AppData\Local\Temp\UcYq.exe
| MD5 | fb14a5ef4e4685a8aa06618b18612a9d |
| SHA1 | 4b874e1a78a4f801f28b7f2e4722798fff820a33 |
| SHA256 | 8725b520f2cc12eb3bf7cb8be2ee6926752784ee37dcb8bbd5272146d91dcce5 |
| SHA512 | 6637dfa60d380bf9a42cc6f5286a3d7b6c10aed063749a4dd5cf5d5a5ebbc20b19e84dfe0b0dee0a659ffb04373f20c4db42674daaa8bc5470d2b5b22f395bf3 |
memory/1404-1083-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AMoQ.exe
| MD5 | b231bd74fb735446d90a85edee2523eb |
| SHA1 | 2b168b5bc7bac0365021ffe8b46434121e6be530 |
| SHA256 | 02679f8cbd8ba15c864dfbd94f24846b5104e7e417ac4ebeefea33d734140060 |
| SHA512 | 33dc20fa4b32a46c156ac216d61fc35072c7205d46994b933109abf37d362882e1496681164189b8c96c0236279a9010cf732104272216a52d98d2987d1fcafe |
C:\Users\Admin\AppData\Local\Temp\YksU.exe
| MD5 | f7a50ee475b0cef0828e1d297d791a98 |
| SHA1 | 2f3bbcf14f4247e975159e6f393f906fe27f1f44 |
| SHA256 | 11d0bd2e052b5bf82e60e425d9cb940a75bcc68558080a21f937d56e20dd5485 |
| SHA512 | bd117b1225ca185aeb43efcab60958f7eb3334ff41b11398ca377a45b989bc6b34110ecc73200fd65da9a44d9548aaf676426807efe9a3da346c7967a02179e2 |
memory/2388-1082-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oYoc.exe
| MD5 | 1387a2d83c6acd0cb0a794d4b3900e40 |
| SHA1 | 12c80055c2a6194597496075c0a5516f598c3cb7 |
| SHA256 | 6c67ae520b64480a3966bf0da45830f40e147e05478c44d9429d7608b47a3ddf |
| SHA512 | bee0dc1c43be499644591710372e0517741aeacef7c3ae5db7ad467c23fca967693ed7b527bf688278d99914316e7fc8f3bd824d17e430af203e504f465ea190 |
C:\Users\Admin\AppData\Local\Temp\MUcA.exe
| MD5 | f02843674264734e9b07767689108711 |
| SHA1 | 80f1e3d4c6e84e6b8c4611625c60c44ba84fd4c1 |
| SHA256 | 0e540eac0da3cf7a5e38bf460e04119edae457186efcd755d3913959219bd2e4 |
| SHA512 | ceeb8c580e08f3b01fba39ac49a3b7693a3958af2ecd9faa23225b747734275a31ca5e5ac5ab8832325c9218450ac02557e262773609fc620495e46ed8d4f802 |
C:\Users\Admin\AppData\Local\Temp\siYIsccU.bat
| MD5 | 3693126d6bac7d449a812a02c9ea3055 |
| SHA1 | 43382d00b903d829aa3824d8e108d09dc2254704 |
| SHA256 | 7fa96498156da1cc7df26ee8d3047405c953e4d3ab227961a53dbd1ad26b5801 |
| SHA512 | 2478bfda0f5b62dad4865aab07feccc7c8633500dc6498a94bb969aff1a155cf5b48d0b78f5e39f716829b089a9797975ecc96dab6bed8d8d4c58722c5970dfe |
C:\Users\Admin\AppData\Local\Temp\GUsY.exe
| MD5 | 36cecbb4dbb9349609380f345375e4f5 |
| SHA1 | 26b566207246f9f2bc5eec56456c56e9bcdc8b51 |
| SHA256 | f94cc3f0371f387a47e31b83d289ad3fc6693dd2c37580477582371d9012a931 |
| SHA512 | b07abe18cca32be6a6439728d7de215dbdbaae0bc50749b58f76e737f051282ab1aeb01c59935d6219fb526696633f96b718efc1ca80ce4411c912ae9f0ee28f |
C:\Users\Admin\AppData\Local\Temp\OAQw.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\YsEq.exe
| MD5 | 6d7026c4a2d26335d455bc131e5a608e |
| SHA1 | 28bc32c8c12e13ccd8ae70e1137934cbe8285a8d |
| SHA256 | 3f1aa692b1df68f8f5953a1e9d13e32b480dbfc1c5f8216671286f245cd429de |
| SHA512 | b24ba4aec54bad1fdf57b2c4e34409c22e3efd9d4aa7d30b0201e21ad46df3173601a6f396b4006b02cfa8a0e9042ddc4b616757c0070244db506c53209a6e8e |
memory/1404-1193-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Kwcu.exe
| MD5 | 7b789cfffb7f42a181a86824db7eecae |
| SHA1 | fc78fe1b1cb9f4380a479516b7f694d73f1a3978 |
| SHA256 | cf9b3a63f5b8895658b456c8c5b1dc8a5de8bd9d5ca773d5e99bbf47c1c7d482 |
| SHA512 | cfe7a333bcf2df9ac41dd54792f821914b403f334cf7fb80190879cb3c95365188cfd696ee8f459f7055a57bfbb72cd96b1381f1abfb88dafbabae05f88e36e9 |
memory/236-1191-0x0000000000120000-0x00000000001C8000-memory.dmp
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | 4215e496f81d0d7078cebc2644f0b2e4 |
| SHA1 | 66573afdb6dce654af8fd48b8b58c53fbfdc9125 |
| SHA256 | 3aab569366a4002036f0d466ddcaf2857200abd18fab65a0b21b1ff7d89c3326 |
| SHA512 | df53c9914a957377598be87857ea44fc87e13fcc4d36f654e4e3f5fd444e738e54f085d186a72f969a2a585c8b2e8602d64f4e4c68aac968419431ee6f6f0782 |
C:\Users\Admin\AppData\Local\Temp\QIoK.exe
| MD5 | 60d42cafba7918859c780614a021b4dc |
| SHA1 | 3a49dddebe975c86d97fb8a596fe821508c79fbd |
| SHA256 | 3d96a99007f4c7b458052d4793035d0d1f616f1b088ef71aa2840e1bad3b6bae |
| SHA512 | c6f8565d578ad0ce227947cec5597fa939cd6e7153fc596f5816962f7236c621e3de915ae1781ed01ac2b62707bbb2d909d80409ec1d027367dffff787d0b501 |
C:\Users\Admin\AppData\Local\Temp\CYcq.exe
| MD5 | 55cee43ebac4ac4d8762a65e343d9726 |
| SHA1 | e545341fc588abacc2b17f7c2a321c8bd0f6ada0 |
| SHA256 | 7ccd57dfbeab8112e0aae4875caed50d07969c32b317166c4069e4daeca0f25a |
| SHA512 | 1ff008cd646656e8c933826d400264079ea6e64cb0c62c9157c1a075d27b19f260c4be7d7fbfb4edb4a6286935fab58893d329ed45a20f004fdb7105c61bdf24 |
C:\Users\Admin\AppData\Local\Temp\mkIC.exe
| MD5 | 7fff7b4d40be837ead5beec0aad48cae |
| SHA1 | 33a3d6832b943b1226199ee46ed97f824cfa080c |
| SHA256 | 1ce20a0222625fb13b83b7b3e001da8be02b655860e29489df73125762b90d78 |
| SHA512 | af596b459ab60a874d3274aeac7dd0a54cc3500fc76d170b6550d83e3f1b549cc810e3db4bc5cc6da12d7481739f095b366c78400a25d7e9c7d7948cd25da22e |
C:\Users\Admin\AppData\Local\Temp\lmkAYUEw.bat
| MD5 | 8d208e3823bc1fef01c983bab4a699e8 |
| SHA1 | 641c16a9235b935545e4a295b9285d8d6388db3d |
| SHA256 | 09f38b9abbbbc7cb7c772e1311efa11bc9d824f616898f9a96fc5f8f456ddebf |
| SHA512 | 0567ea772e83abec9daad908b398093506fa57f91a2771719d3934459345a9edaa538a48639132ad6a47d7c65ab8946d4b2a193917a9ff919316ee19862f946a |
C:\Users\Admin\AppData\Local\Temp\MQoy.exe
| MD5 | 082b5b962ec51462fb2d46b3e40ca8e5 |
| SHA1 | b04757d0751d9578218073846b54b8c0b5a80161 |
| SHA256 | f3f9fa726617304ded8780d211091ef06fd438c8e9afedddf0d18d403e704cde |
| SHA512 | 9b322d4aea89ed90b1e6fce7ffc7208438059e7af181f0dde985b70f42551988d2243128ce0d53543c2f844f2d53141e6813fc00f128c70588048e58f07afc5d |
memory/1632-1276-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1860-1277-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qUcg.exe
| MD5 | 8f097768cbead77a2bae9957cb9cbfdc |
| SHA1 | 6e48583e4053b00f1ed41d653b67e9b2001d129c |
| SHA256 | e033aaf0d6b1bc3cb21a5ec3b3976fc11ed06cf7214f9538edb0a59ad7f148e0 |
| SHA512 | 8bdbdd973c708a950196d30b09f8bfa7387b75f4363e61e21f9ec3622f977634ae5574413d885237429478c806a04d1ebd5a317354846ee61a6f4aafc01ada5b |
C:\Users\Admin\AppData\Local\Temp\UIAi.ico
| MD5 | 97ff638c39767356fc81ae9ba75057e8 |
| SHA1 | 92e201c9a4dc807643402f646cbb7e4433b7d713 |
| SHA256 | 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093 |
| SHA512 | 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46 |
C:\Users\Admin\AppData\Local\Temp\YwIY.exe
| MD5 | 76fb088c31fa1ee85f3a824f9b908663 |
| SHA1 | 2beab722a3f4b19435c9b50ff4acefaf444e9d27 |
| SHA256 | b209c3f3a79793e69aeaff100683d1f470abb5f18cd2357ae9d2e81c517edb46 |
| SHA512 | ca464ed1233fc8b28ad10e1d8ac2878565b66a119005e2781d417823254182169ccab51bfa9890f5d0fe45c7230609f00198cffb6286df7faf108e3a64f1d321 |
C:\Users\Admin\AppData\Local\Temp\yUgG.exe
| MD5 | cc11f9c5a20122957966d03bb8f46b37 |
| SHA1 | 6b9fc812eb12b332b75b0d0eb3e8d969e46ff364 |
| SHA256 | 889e518062e90e0c17ee54bf0b16b971706f65fa5c6d9b2b9fd5d1b6632ae514 |
| SHA512 | 5434742868e52d7ef3edcbc5b194738d459b4cecd4ae1fb9b4a4f7ab85b0a1ef15b493dd17673b09f3580940bb11af3d795f9d789f16ae4092d1b3f01fa324b4 |
C:\Users\Admin\AppData\Local\Temp\WIIq.exe
| MD5 | 55ab619375577104554a7d50685e5d49 |
| SHA1 | 46f6c1ebfc9918f1da45d089314bafa0486a5889 |
| SHA256 | fc7566faaabf33d36ffd56803ce9be488850422509f67b1f79e61a29ed1e246e |
| SHA512 | f94df4bc8328be38aeb8aad94066392cb6f7ec03e3b2d87097a2f5fed777b6af644d03006ba253173bcfe64c6ea90b5f393e7901d8b79bfbba8fb1b8dadd66df |
C:\Users\Admin\AppData\Local\Temp\WUIk.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
C:\Users\Admin\AppData\Local\Temp\igUe.exe
| MD5 | 98919ee30b68f27799135dd7345bffd4 |
| SHA1 | 84cf9ab4a4d117a198c4089168aaf3e7b205a1aa |
| SHA256 | 95379e18f691ffdefe119014108c0738ce0e668b376e3aa58a41fa753eff4cc2 |
| SHA512 | d57aa9d13108816f1f2df0a6d8810ef1eac27a00a14b1f61d81bd93f89629ae46f641ccc954604fd43046f7369ce2918c046af2d72198adfa3574802aa52c064 |
C:\Users\Admin\AppData\Local\Temp\kIEc.exe
| MD5 | e49e09a0665bd7e539259994911b5c57 |
| SHA1 | b09ae7c6070f09b14a9fbf913c88fc532d28a1bf |
| SHA256 | 9a3a6fa7f4c369fa08ea6a117fafabfbec765b7a855dc9ba470575d373d47d88 |
| SHA512 | 31307ee6dceda40c39bc2520058667ffa80af860a5abe7270deeae0ec75ae6d4b069ab903c8a94075ea5f11f707873f467fbd28740303c843441b90a9841d81e |
C:\Users\Admin\AppData\Local\Temp\CMUK.exe
| MD5 | 4438762851330f230ffcefa8cd53c6ac |
| SHA1 | 81dae3939f9904f0d2a4d9e3185e90c4c596e17d |
| SHA256 | 85b8b78c35df81ef491c128530b970e62436ed5f3da0787d5d9670660c5af90b |
| SHA512 | bcb9735e83ba15de069093fbce3bc6919e587f9cf1a263fbc49949f396344cb7c123fb0ad956b8fa2a3d0718eb2eb6efcf8e140b758be7a01469a3c2b2e7e67b |
C:\Users\Admin\AppData\Local\Temp\yokU.exe
| MD5 | 1f2e465b11bc553d6e59b002e6b04a8f |
| SHA1 | 1d42ac8f57ac2a6d07e9417b117431553fff6346 |
| SHA256 | f5c03f62dc5c976af77a491fb3eed4c5273e6220908df65044e3929f78e839a7 |
| SHA512 | e8486da0a15d1305a3bd888f04acaf11c643a88640621dc36c2e8b90743d0f2c811d69a55d084be8cd3634c963a708b34b7e0506956e7d2984bbe2e10a9b900d |
C:\Users\Admin\AppData\Local\Temp\XMoAUwQM.bat
| MD5 | 89e17eb9762a73899b7451fa46b2c44d |
| SHA1 | b2a15679837f47dea4a880b97b84cd0c8bc77ca5 |
| SHA256 | 1638444964cc6671f4f3a14b91f4867b2a4815f3ba24390bd8fec8bb720d0879 |
| SHA512 | 03c8a1afddd49ae3f833f284ac17c4b0711f72bc4c12cf872d8e0e59ae99d0563a562be1b6514d6437e8329bf9bd7d3b849a00c63ba6bbd6dcab6ce9ab31bd20 |
C:\Users\Admin\AppData\Local\Temp\Kosm.exe
| MD5 | 222816a8d5f474dd3fe3c83358c79da7 |
| SHA1 | 7d857a434ef089c0a34b06ada5a5c573b6a7fd25 |
| SHA256 | 8f604cc2784a3551caec6bc0ac3607c0fe4cd30f8ddfd50da1cc1369dcb0d899 |
| SHA512 | 85f04ba8ee36fb7e12d528f97860662c4491dac00cd049601490c5297cbf5b97e91f96f3b6635f5f2b37e28a6bb1e001387774a6113075dbaf887bd923984237 |
memory/1788-1407-0x0000000000470000-0x0000000000518000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\coEY.exe
| MD5 | b68739479d227c32e1965dcf213a4047 |
| SHA1 | 55c20ddf19e7c87fff7388dfa8400d1eec036184 |
| SHA256 | 2f25a63a2bcad58c422e022a48408e5e79e8b8ca8ea7eab31f986064b75630d4 |
| SHA512 | 130b5bc4a626fcebfa3815d8df709006479ae6adc5d22a94d872aeb3e430b71a7c6bb37bb2ca38f7ea0fcc85c6b32205487a9010fffd2fd8a5934323ac26bcdc |
memory/1860-1432-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MEEe.exe
| MD5 | a76f13ea4f1cc3079b8f92915f4d1680 |
| SHA1 | 8a4fc069d552e5e8f7d35c148a65fa4fef8a0392 |
| SHA256 | a544a6fb33c8cd1ce67d1e24c51f6858c2358ccc1bed8f4a30de545a6cc0680e |
| SHA512 | 810a13ca9af8f8bdb4f96b2f902618e88ef23b000250c874f6ab8460f4c91473eabd1c328d474c8a8aa6669b75a1831bd2f7228ef31db0f28b23417fff2270c7 |
C:\Users\Admin\AppData\Local\Temp\qQQe.exe
| MD5 | 6c79a542ed4f87479049bcd357280504 |
| SHA1 | 04bc9c3d12ca1d04b6e535c131ee4d5f909af584 |
| SHA256 | eb6d363ede03732922cb751e51a9551cdccb18b69ac5a6ee3745559821245b97 |
| SHA512 | ab62aa6371acb5cd0c09b2cca7993b5a554ce75cbbe0254d0cfa65c624a4275c14469fde4a710dceadc69f2b7c92728423fa9d55bc09e6ef98d120500b27fef4 |
C:\Users\Admin\AppData\Local\Temp\yAki.exe
| MD5 | d84b4f3ba2f032dca910e7107b65952c |
| SHA1 | 902fc51e2b063fe3fab8f0e27e8d323cb434c6e2 |
| SHA256 | 7241ad12f10b2dc6a49a097578ea9e1341909f0cf580911c0c548140d78347d0 |
| SHA512 | 21b300368b1e38af57adc7dce2b64ae9217a98eb8cb12ac64241678a630309dbbf9db5c85e510e26de89616d5a2609c258be8eacb241335c5c910f37af0d97fc |
C:\Users\Admin\AppData\Local\Temp\sEYgwAkw.bat
| MD5 | cb878505f018f5f15b3728103acaccf3 |
| SHA1 | 7ef37f9a97fbd9a64e645695b2952694c7e565ee |
| SHA256 | 0a9108fb8642efc7ac969451851722229379f56243aa051521401dcacece9079 |
| SHA512 | 897b45b511a734aaccddce6dfb6d42ecb2e700c79079945d11b2372c1adb1342eb8fa170a6e8e6d9b3a09c7b1a5c518eee2be1dd7012b8c597c6f3c6938fd15c |
C:\Users\Admin\AppData\Local\Temp\KEIE.exe
| MD5 | ff9587456967aeed9586409de8b6c53f |
| SHA1 | 441b4450aa664f9e8e5d85e84987d944c7855780 |
| SHA256 | d5b63331d83aa82e1f0008740e6c0c5f3cdeed9ed57b09437c1f14829c218987 |
| SHA512 | 4bb78fcac8d18f29edee0eff71231bb48a0d3cef63c12b77bce54d3600c248eb233589e15a612501fab9f416d53946a8b5bce6558eb654cc83b1ee05849f0d37 |
memory/2624-1504-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1984-1503-0x00000000002F0000-0x0000000000398000-memory.dmp
memory/2628-1516-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ikcO.exe
| MD5 | d7a73a5454e59f6c06da6b493b7da05f |
| SHA1 | b3637fca0618ccc8755e5d952711fa3327f6f5b0 |
| SHA256 | 679e3b8c81471f0887f5234db824a3d420ac1aa2c6225b19d66260da5dfc8611 |
| SHA512 | 195af7825227facd02e476b1fe5af943796d7cefd0dafcb97dc046f9ff2a65301cf4e6f2aa1fadab01a8d38c6ff71b002d7db6c6a9ca0808468b0083ee768c67 |
C:\Users\Admin\AppData\Local\Temp\yAMm.exe
| MD5 | d739665b5f409c26b43e9f902db06d6d |
| SHA1 | dcc344efd0806ff4872d9709e6876ac998fcf30d |
| SHA256 | 63ff80d3033652afd340a8b142132101c4b09cc897caad723c06774fcbe0077e |
| SHA512 | a2979a24042ee8e6dec91a8ca3da8a965c09eba9d6e46b744bd645389585e63b765d3a809e5971d6964b15990f49ef24578c10e2e457c82f64797475ab934160 |
C:\Users\Admin\AppData\Local\Temp\oAQy.exe
| MD5 | 4895604cb9580a65fd421df27bae6cba |
| SHA1 | 57f3808c1b0caa62b60fb6d1cab8be687f9bf67b |
| SHA256 | 2119813b920a97e6e35692ab35c306364af11aeb37066b04befb02da4d70926d |
| SHA512 | 0157fb2bbbff644d62ee3f7ff9f70b6fa7a793d608ff5365894fe10ec744a264b2c9325db33702c3583673fa48faf44e75529bc488ad601eda5facbf13794d14 |
C:\Users\Admin\AppData\Local\Temp\moQgoQUI.bat
| MD5 | 1e8a2c6a883ef921828700ead35b31d8 |
| SHA1 | 06778915256b597f8265773ba323113d19ad0323 |
| SHA256 | 47d3c38d701d37fc4b0662ec32130c6476d07ef50e6f2cfd56d325154a64cc04 |
| SHA512 | 9bd4bbafd233e8f2ba0b5a7a835af0fedc9e2fb85ef3161ada18c564a232acc5039ca31c30480bc287c73a0a9cec3cbe32648eb6fad04070e86edfe442e017d9 |
C:\Users\Admin\AppData\Local\Temp\UEsK.exe
| MD5 | 7e2ebf64450906e36155896f50c90bd4 |
| SHA1 | 689bef77c1c2d21f60826492003147c1ee21eb09 |
| SHA256 | cfd22f9bf9a7bb6982b54ddcb4596979eedf1b0d361b50de3a78d0e2a9fed89a |
| SHA512 | 75a02b68628b4a8cd0c1e87897f730d62d92aa40faab8203afd1442779bb540368e67b1cdad4d2c27ae8537a8c5dc8d2b201d5c68e4f7cf66289493f07fe5d56 |
memory/1412-1588-0x0000000000160000-0x0000000000208000-memory.dmp
memory/1412-1587-0x0000000000160000-0x0000000000208000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yMYO.exe
| MD5 | 5ac54e66efcdbda0ee9c73b762cbab16 |
| SHA1 | be870b119bc9461f6a0f0c694a913de5eea08f87 |
| SHA256 | d8d674b7de5ff3f71b9f727071ffb41a4473a22620f810cab21720d0c05a9478 |
| SHA512 | e8122e6ee3ec0649f9fb7227c3fbea56f099f09f7123f2b316ba49d4f51b940e290ee6810cb38c80f9af574049728b1da76fdca9a3b9710805cd754b077f691c |
memory/2624-1600-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ukks.exe
| MD5 | 7abfe22d3ff73be0b7a2ffee4e636fe9 |
| SHA1 | 3bc7bd9e24d78aefa0e8d3c181cd9fc4879d3405 |
| SHA256 | 554e995a258e05339ec07c82e968a3067e5936abb73e4bcf0750d9505130b80a |
| SHA512 | c08c59ae83f32728bbd98905ecc745c2c1d5d8dc5ec610077ca215572a8bbfefb5b8ad1cb86f535ea0f5214615b2b3ad18eca11176fe00c02ddb0da52d33fa16 |
C:\Users\Admin\AppData\Local\Temp\GIYYIEgI.bat
| MD5 | 5b344bc80bde552fc4391edd2ccf47cb |
| SHA1 | 1dbeccf66f96a9d3ca4c6a3bbb385ecab0d3e044 |
| SHA256 | 8cf903130b0c3d7c29f112f8255056d2037982ed0d664b96811d043a170e3f4c |
| SHA512 | ab48dd4b4209cbfc804b98add60435a8859e500ac4965c5edc8526315720f1eb77287fbac2516c89a68d5a8a2ad7c50d558b6a9bb7c7a993070eaebbe998e3da |
memory/2740-1643-0x00000000022A0000-0x0000000002348000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YwMi.exe
| MD5 | 03ededfebc93edf11c195dad44e61269 |
| SHA1 | c72a315e18f39c0452b8991f7887d477fceb5c66 |
| SHA256 | 152723e315416a58101871af6f6aab9b62cd19e57d48f8575c09d9bc0b92524c |
| SHA512 | fb7bd530764079546d3b0f3fbe54783c6eb73113e6fdeddff8b86af3c1c980a81515600c1a8bafc55fbeaf5fa678ecb008b722d76b43e17bb2302faaf52223df |
memory/1584-1656-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iAUu.exe
| MD5 | 837a9cd7674b4ccd4d2000ecbbac21ee |
| SHA1 | 0c8fa7e33e5a2c86562b5b5dd6c990ad8966c997 |
| SHA256 | 38a93311a2130eff48e2b532da0c9cb9a5b55cba7eab98b5e3cfce8b94373939 |
| SHA512 | 66e564cdf47e0ab1213fed1f7a983df2ac1e1ef33d1b97d740fbc787b690d9986d7b5621150ade7bd9b2511610c283f4e3160179d48fa1bbaa7180d2ee4ead60 |
memory/836-1668-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gckc.exe
| MD5 | 6f75d5bdc1db350bc36f34644b1505c4 |
| SHA1 | b28044511b1bd2af031a8db72dacc86a5e13b750 |
| SHA256 | 6a84f72bcbe70a4eabbf73b1cb7a9ee50cab4d674cce425a23e652a914a492f6 |
| SHA512 | df12404a1db32f97eadafa0bb94272d36c5037e90c25b5b27eacf36cea1657af7ba6bb909e29616e3fc724aca2552c63cf9f1745883edd650025ee813d26ff15 |
C:\Users\Admin\AppData\Local\Temp\swIcIYAA.bat
| MD5 | c57e65ee2222a165a16569e35c1abd9a |
| SHA1 | 586bcb3455e3707e939b3fedbba1795af24715cf |
| SHA256 | f53f13aaa4328c40b116cd2c5fc0abdf48f290c6c6a31b22f27aa81065ddc27c |
| SHA512 | 38bdc7571fb898d21b2da6c0ba0cb8f1a9c6dcff4173bb3853ce8347a38e131578f8f8b7d21df75897610da88a6a09db16e86b1d704e97b56c12061bf77e5ef9 |
C:\Users\Admin\AppData\Local\Temp\mAgo.exe
| MD5 | bf4372445ca75ba0534d0d0e3e34b36a |
| SHA1 | a67ae74deadd5422956d28cdf56901fe173ac854 |
| SHA256 | ee8958566c697f634b4bbeea36c9e71623646d669c573b5ba6078662b7ef357a |
| SHA512 | 2118dadb8a26c412cfff1aca0daf206a49c2d6f50967f4a69f76678b8e736e4b8bf2d1dbaee223a6144c3ce6dc848fa112f7ea763598bfd24347981e3353e6e1 |
memory/2984-1723-0x0000000002370000-0x0000000002418000-memory.dmp
memory/664-1725-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2984-1724-0x0000000002370000-0x0000000002418000-memory.dmp
memory/1584-1737-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YkQU.exe
| MD5 | 98d2f718d4f28a313f242f5af3c08722 |
| SHA1 | 6be283fca7d093563d90a9a3fff74b964e37e7ca |
| SHA256 | edd872a30c31224db1344e3ea69424f56050b7250ff21bac1befdd4ac11754fe |
| SHA512 | cc2581232c7231e9cddaf234a225b8eedd7c205e06304aa13162fe247c76caffe99af9e4a085fbd33982064623fffcc4c6888a8c02ba21ea6bb26df052273257 |
C:\Users\Admin\AppData\Local\Temp\kcAY.exe
| MD5 | e5707e2c477dcd5e9a23ce6dfb5c8349 |
| SHA1 | 4ebaaf466d38c43f09c86e8146c65d8c69d4089e |
| SHA256 | 7136f6d9fce5957c080491e08eacf3a7e0d57f3dae56e63f05bc05fa4a9fe3d6 |
| SHA512 | 70d7ebf42bc439397daf2a6646e3d75c32c9925a5a36606b96094bd45f12d9f86d23831e59c5bc7e1f9718fad08f71e93b4b8842e5fc4523df8d60af503c3d1a |
C:\Users\Admin\AppData\Local\Temp\dwEkwQsI.bat
| MD5 | ad626f4d28617b8af709cc729e627ed7 |
| SHA1 | 98d84dabbea3f632602ef9c2968a3c18aad3ddf3 |
| SHA256 | ce13d6329bc0670d7e92c403dac937167e6ba1402005eeba915f57daa63cfc65 |
| SHA512 | 7e14487bd0059fc7b4c93d61c2486ba39eef769ad182fce8cebf69d6f1972e566bef99b3c0f15650dbdc83bf1137e4fd9e11c4c3e60e6e71edfd648d259d9d82 |
memory/2540-1792-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mwQo.exe
| MD5 | 41800aefff274ed9a546e229699ecdec |
| SHA1 | c0c2a80bddcdfe099b4ea03ad383abb3ae1f7a60 |
| SHA256 | fefd07f22ebc998745911f125a4292aeab0983a902ca1b9f83185a5f3f14b5f0 |
| SHA512 | 2b856e27b01531990e50f2e3aa04d9cdc75d2ebd0f2e287a87dee47a6c23e60ab9d2b1fff591319a76d40c59748d0f4d65cd98222589b7dae40c5e8c7bc4b63e |
memory/664-1804-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aAEY.exe
| MD5 | 468e27a28f37efed52b3b29bf50a5a25 |
| SHA1 | 2c5627f8f77a72fe62685306145b24f23ee48e25 |
| SHA256 | 8d7a6c98b1f25864b742d0eace1632e8abea53710511f7ae628f0a996a353d7e |
| SHA512 | 97dc8ba0b807258f39bd6adcb1194ed5852b01fb2ecfd993eaec1815b235d79a485dfec61e48b7ff6c906fae2d8d413c602aba9215df5a2125158a989345da3b |
C:\Users\Admin\AppData\Local\Temp\OIAM.exe
| MD5 | b4e53e9373ece9ed74f868d6ad1a423b |
| SHA1 | 567f460f334e1dbc84e09781707ca9cf9d26573f |
| SHA256 | 6b2fdce5a8fceeb9ac7ee151027df14bcce847a94aeae83dcf7e400a720b1ece |
| SHA512 | ee8a34253414ea82b07790e737562852305b97e9650d1afd2809e892731c6f4cf3552a081d37e19becfa44af226e50bf5d612addab89c11dbac8be251c2940de |
C:\Users\Admin\AppData\Local\Temp\DaEsgcIM.bat
| MD5 | ab9f9abeedf61a3946d25a0cbb0e6281 |
| SHA1 | 1d4fc42a1e449555ec3262380db4d99e1335a2a0 |
| SHA256 | 8b78c1f5b86240dd8e258691c890bceea1a2e5382c3cf384a723e11bd0c17bf2 |
| SHA512 | 30573deeee3b86782c80429da82ae4a801781fcb25d905599d013e481cd4b7409eb6fad63ed93450ab14ce8c3c1ce030e4ce8e7c486cb98620cbfbbc981d2c65 |
memory/1900-1846-0x0000000002350000-0x00000000023F8000-memory.dmp
memory/2700-1860-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oEkQ.exe
| MD5 | 073056aeba914161502918c429dd95dc |
| SHA1 | 10fc78f7e69357e451a45050ab4f1cf06d041006 |
| SHA256 | fef5f61ab39330030e861b59e3fc821123f123c486305a40b70227e518812192 |
| SHA512 | 1cf1bd8586324a5f27e95eeb02bb1cc46087e7c30fbd89905f3e1bc1fc83aff03d0087cfab24ef3774abfa5cfb5c8da8c1e0af8c6409daff760580a94dec8ce4 |
memory/2540-1872-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ocMY.exe
| MD5 | 9d78e0f319c1e40d46532cc0b748e0f3 |
| SHA1 | 4b752672fb938369b6bec3d9383e60d59f9a963b |
| SHA256 | ff3f5d836011d9fb4d4703df7a48ba1eb30f678aa3519ae1e865d15cffee66c3 |
| SHA512 | d45b70dfed401bbcdc9f7c540cb2601d1857389e7f1ed47e83f6d8d18c7a39958068738c07b3e4c2cd50bd82edbcf8c05b84555d8c553dabd65a106998511636 |
C:\Users\Admin\AppData\Local\Temp\QcwG.exe
| MD5 | 612533703519e3829fcda4af118f0216 |
| SHA1 | ec451d71510cb41128450e7e86008d54075614ce |
| SHA256 | a7125aad09ea7b3bfe0db6c8e5f159e60c03a68e02e6c3c45f5ddf0a34e83b00 |
| SHA512 | ce32a7dc16abce47d6317041ceefb3d989bd84c303f50879c1fecb66adff57bab040a70c3baf05982152918ea0b60c82e1cc6c365c4ecb9d4c593d5020af967a |
C:\Users\Admin\AppData\Local\Temp\JyAMooMY.bat
| MD5 | 4c4231f527f11ddd977b5036b20ffcfa |
| SHA1 | e91f08a58d66c18fd19c23329aa0b6d0d723d448 |
| SHA256 | 54d18fad275c914d36771466d562c9cafaabbd16c631ebf9eb00f94bb08e825b |
| SHA512 | d3f8afe4a308bff0b3fa1615f70adde68a96712181fab99b4b76e4fe9233b275e421b1444f888331eb58f1ea9f865165cf16d0020d0e6a8da92ea7324a4509d8 |
memory/2660-1915-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2588-1914-0x00000000005B0000-0x0000000000658000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qYso.exe
| MD5 | c1cd06f0664a5da3817558dde7ebdcf0 |
| SHA1 | 2236cd0937034617c6c7be37b3f07dd8b667008a |
| SHA256 | e324be6b3631a31c9718c096bb013b3fa73fad6cbdf55f686620a417535351f0 |
| SHA512 | f6c7d8a6f832854f828e572680aa1922610b0f0ae60891f78f2332c8bc7ca93b3b701b63a4787a35a3789abd52ca2af9bf2c5e673dcc7007eda6f7a7a706be69 |
C:\Users\Admin\AppData\Local\Temp\yoIi.exe
| MD5 | d1b1067d2ca5d7496203f5c3597f4f45 |
| SHA1 | 8c552b2c84e9d1ffc9b60dae14706ba443d83851 |
| SHA256 | 3e9bcbbdf7023d8757cff2dbc50395542a55b1906d0854bc920c9c76416a3770 |
| SHA512 | 28ff5120bf3d4f72b908c37b1fb83f4463dd34ba17663b5d90252f9446ff9c7bcf798619321833a35d69b35286394d0ee5e208717ce8ce6770dfb346c0af80bb |
C:\Users\Admin\AppData\Local\Temp\AgYC.exe
| MD5 | bfdf0007043fa80694a60e1c37f91885 |
| SHA1 | 9fc63a6bf39417092036a90e2b35b69a52eea364 |
| SHA256 | 9df208b3600f5cd9f5cbd0eea3ff027f95b8f1d51ba59a25d1832b427b999690 |
| SHA512 | b9848d6a569f3134a3373702ba05afc7d3b6ad9ec8c6692fdc59501482182542c9a66ddb01420d5dd1286e1d4634582a0aff754098fbe5c10ec825dbbb3486f4 |
C:\Users\Admin\AppData\Local\Temp\ewMk.exe
| MD5 | 39b438c047616a937a2b05b149c5dbc3 |
| SHA1 | d5c5fdf5ae5ca6e02a5ff2f114afde982c6edd2d |
| SHA256 | a9c562243df464be2512f3683415c82a9896fb8c10a5c0ded6ad6cf12a3a10b1 |
| SHA512 | 6276044626d866c1860549bb1dce2063b7b770ce28520488a0a27c41bcfebf8a2fee3b66734879dea2b3182630152654e1918926158d153e4f15eb749947bb35 |
C:\Users\Admin\AppData\Local\Temp\vKQIwIQQ.bat
| MD5 | 7d30d056211b87065b78a267c5ad75d2 |
| SHA1 | e3ed1cedc42bdabf1b81efb833c65ad8b5622f15 |
| SHA256 | 482ec120e8bd60f376124e3c4344ab9c97517c6ef5dcf7e2dc2c9d1109fbd3c8 |
| SHA512 | 4ec468330230361ef7f9a344f1c948c61877315a0ca164540d6d1018ad4cc4986c7150e524c19f5006a05d421e4a45e8a624a33936d063289883b9a19745f384 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe
| MD5 | faa7c73e733f506c9a6a4a8a7ec5b646 |
| SHA1 | 60e395d1f5b70aa5eaf55a5c7b12c36d70b2280b |
| SHA256 | a2215cfcbf5a13ad0eff4f777667ad1d9c8baaa53a420e72fe34aa63a7294492 |
| SHA512 | 7ac0443c3f1c77099e2081116f4e1d7a584838e7013cea18e78c8bd668677a4d1e686becd08f6020c3e5ab102fa098dc3b63281b039265c75d94f480c74c6da1 |
C:\Users\Admin\AppData\Local\Temp\Soge.exe
| MD5 | 405611c2c4393e67dfa764eb012d3694 |
| SHA1 | 30b9e5d14eca7de5c65acfbae7da61db921d0066 |
| SHA256 | 3ff1f4280d82d9e96a91ba5872ad3a44f9f050fef66614f57b8cb774ad52c081 |
| SHA512 | 0dd6166a7f9c88ab4f5251d5ddbcc82da19d65f775f7470f50eb71c3717a03595f3c0ea53b1665475ff1adeb05373fcdde32f0e55a7d677fee19f6ddad3027a3 |
C:\Users\Admin\AppData\Local\Temp\uQAU.exe
| MD5 | d5e4e5394862e6f2c857f57cf616b517 |
| SHA1 | c1c293928e9f6f794b72e24ca075a224f4e7a6fe |
| SHA256 | c80a873742604df5e2e2cd40744a56bfbabfeb3102e9970d34e54343ec5c2cbb |
| SHA512 | 422fde59c4847379b8fe5cb7da2e96ec10cdf3b4903a53d0614584cfcd00ce52e431d49f19535584f31086cf704e880daea30f5ac3c126012236d73493a2c96c |
C:\Users\Admin\AppData\Local\Temp\aIEE.exe
| MD5 | 73673c0409ad1b40fb80db886faa3274 |
| SHA1 | 89a03f66d0f15dc0115f04018b489a0708a5d8c1 |
| SHA256 | d5d1cc2393beaa86ef3ec0f15ea9a25f537a18de582db76d81b165d03cd4e60e |
| SHA512 | 2a48deb393f1539615be17f0815a3d3ec2d6f1b3915a86ce6b390700731a34d25403ebea2cfa90909b07901de3bbeee7de68f66ee0e58f9cefb4bd749d9ef276 |
C:\Users\Admin\AppData\Local\Temp\gQsw.exe
| MD5 | e3e184963e8f86b75314afa4c0b9c150 |
| SHA1 | 867e1f8e8d9103621e0cd5287534c09fafe3192e |
| SHA256 | e5192f1abcbe3e0e815dc7aabf1ca534ed946d52073b973998c41ed9574d9d6e |
| SHA512 | a84891b97d609600de1da149df65049ab52e98ea87cbb9a47d47f7394fdbf9c74bcb7c0a05dc00aaf09455a3403ff5bd1939d3f4933007aafa85c7026dd8618b |
C:\Users\Admin\AppData\Local\Temp\GcwwEQMc.bat
| MD5 | 59ff784cb2d1e97f77c848714c4c6e41 |
| SHA1 | 0501953f2e937cb5cf8896e067c172046c6e0e39 |
| SHA256 | 29f0cfb3527d37880bbc4f4280a3977b15bf28e481a881b78430503cb5d046d5 |
| SHA512 | a76f05ee3b8d33214617a71a254f229204cd3b11818a41bf02e8c627ea1025a25c32a39ae9888c9bb6bddc985cd5357eddc33ac2fa23e89219db8aa8286055fd |
C:\Users\Admin\AppData\Local\Temp\wgsc.exe
| MD5 | 219a44d9222a4645ac88456988f2e5d8 |
| SHA1 | a27729ad69971826837de3edb4e7084aac84fbc8 |
| SHA256 | 8d416231d991b0da6712625a51cae2fbf4c45ad9e8e775d4993b5176001efb9a |
| SHA512 | 3d76b7c67c6ce48917b83109c7f99629191d47765aa55c5cc99c3ea18c71b83d95347b14e3bbadf1b7aafaa64e23f4e5e64d865f2d21ada4dc3d20f46462553d |
C:\Users\Admin\AppData\Local\Temp\Qkgs.exe
| MD5 | 41c1f5cc239fe326bc40cf385f37f28d |
| SHA1 | a04438dde3ee405b6d6d69541f77188ffadec4de |
| SHA256 | 6670b68ccf91f8e0485ed73d1fa66630bc756eba38704e2fef72419c9a9918a0 |
| SHA512 | 65477fab5527dfd22399a6ddaa659cd89ac72bf42b99b0c22d61a59c1c640d76ac64c1f5c2f820dc8294e79b67df051d9ced6675bc66002ec70941f557c47e99 |
C:\Users\Admin\AppData\Local\Temp\WcAa.exe
| MD5 | 20249c2429c5a17e8eca429780402c47 |
| SHA1 | f2d87747b37b37f7329ccedd8be49d5a5e3f141f |
| SHA256 | 74baa77540cce9dcc285d89c15e35bde0f64ba17ed636ab74a5d491364e0c9c3 |
| SHA512 | 402f390f3c0f90127c67304553c06166a19eff38b8a1672182a68ffa849930801c80de813c6a7164cbed20a975a49f055e227ac3b6dd06227d148891a2b90011 |
C:\Users\Admin\AppData\Local\Temp\MIgm.exe
| MD5 | bc8669cfb07497a6bbe7e541b6bf321e |
| SHA1 | f9fec901321382e7ec1782314747e9591e3c0d10 |
| SHA256 | 09cc138f8978623cc8cba5e034366b7b4fc21573d47698fdf3beaa6bb4c95441 |
| SHA512 | 0ea9e632d72a3cd72462ce3449c6049a016f57b533cc7ecf2b737d9b0454484264352c7fbf91cb68464abc8d0e9cf731c6ec85e334a26c3f5ac6fbed98270d16 |
C:\Users\Admin\AppData\Local\Temp\IKIMwIAM.bat
| MD5 | 98722af74476c80856c995a96212534f |
| SHA1 | 47d1745a73a75aa90d65bf48ee857ed5735be21b |
| SHA256 | c216e3edf210330f0498dc6b6dd2afa02134d8eee6847fd78726ce7b0d0f1cac |
| SHA512 | aa3c93e53442c500218b00d9148472d30b537c45e7cef4123e56db7bba3a65da66a70a036e7b0d880648ffaafe5feecd1da6423e7f25e193f58614d4d6314586 |
C:\Users\Admin\AppData\Local\Temp\CYoA.exe
| MD5 | 106c33b1943d9b0cf753d12e4e3cc13f |
| SHA1 | 951f364295f5de58c8c886a8d3e65177890aaa1b |
| SHA256 | 18fe23fd22d44800d191c33152142fe4bda0f6e591f3691f005fffe4a181868a |
| SHA512 | 10436a35b10e04434b7cdb4c61bbf45e02fedfd587053f9e852af38154b563ccbddcc2b6dbed822d484d4075b0c6fb3b2048a8793342e124fbe37de8e0886be0 |
C:\Users\Admin\AppData\Local\Temp\kMcy.exe
| MD5 | 8b1c1b4dea75d6939635f31a827681a0 |
| SHA1 | 0817286cb0aec607b9b6e53f5b8cf2dd1e82dfe9 |
| SHA256 | c2c24b611cba94c29912e1db1a9437faeada287d26f7805d0018bbb2f39490ab |
| SHA512 | 103cba09dc5bff093522901915a688d5a4b19b8d31d7b0448a1c7a793025a9d1f0c468e953e9364587251637650151ad8c5a5ccb41c8db375c5f9290fc7d59ab |
C:\Users\Admin\AppData\Local\Temp\mkYu.exe
| MD5 | 72e1f938c18d30e113ca559e1413dad8 |
| SHA1 | ea8f5a87ca7598ce246e4501104d05da2defc8ae |
| SHA256 | f4254994cc20edf6f2f5e1569231c6c059af82fb0e25ccb09c20268dda9252ea |
| SHA512 | 94611a10002e00890fa7e4483f28512f820fb6048b8c5612decb932ab12b3d33e7fd1ea6a1e6b3e5319990f23b5fe4286527dd102b7223a458719302ac0e1ade |
C:\Users\Admin\AppData\Local\Temp\YWMskEwI.bat
| MD5 | f7ba1bd58f075838ddfe4a9df5f81ce8 |
| SHA1 | 623408b36020c7b349ee720a0b1e841c19ec0094 |
| SHA256 | 51bcc56c5ece533b0cb79e59e287d06a223d108894e9625ef6f887970a771163 |
| SHA512 | ee05caa0a8b1f94396ebca59c92edde0bb50b0fb5b2a8624f62651b7804b180aafa1dfaca8fe3036444545a2606fa04a995924ff3b9b5ca8df469b3b2b3800e9 |
C:\Users\Admin\AppData\Local\Temp\UcAS.exe
| MD5 | e69d8c0314aafdf08034cc8552beaaa1 |
| SHA1 | 7efbe85dcef533746b57472a6709c3d40f625359 |
| SHA256 | 46ff4c301f76fcbff32d67db7550051e22f7dcc3384807eb2579b82c22684cef |
| SHA512 | a68ce4e4c0b29fabd078ca279e63f792dc1b89e5a886dd7e62f9f650976ffaab8df1395a76e8f8ec29886b084f9a2d0c2a92d6536796cce57252092b1af73c30 |
C:\Users\Admin\AppData\Local\Temp\iUcIQUYs.bat
| MD5 | 43b58d5776dc28ff760899ceaffe1977 |
| SHA1 | 22725759c12efd67c54984fd4a49abad60e2d9e2 |
| SHA256 | 02e15af5e1d7667de9a38081a807a12ea0ea78468cf48b517b6f1047ba723675 |
| SHA512 | 5b4efadcf8e91c99fe3e615adf1acb6dff06038d368ed13606e86efeeee4c32f052636b1bf670791bb27225c38d7ea7cf0970c08d794fe85f921a8477f53fb27 |
C:\Users\Admin\AppData\Local\Temp\PKIUYsYs.bat
| MD5 | a00d8f6dcd9f41640a2646a4af11bae9 |
| SHA1 | 7c7379afea7169c3784df8a85cb99be0fbcb3d64 |
| SHA256 | b3d413530b01b16b82f8711ff2536c40831d7f3e82c01a347bed284dbd4aab8e |
| SHA512 | cc790d9410f29b59540c43cef855d2d6cfc8da8873a502edab8dc209da5e58a4287cc67b09f67bd4c99bf4f3b59c10546a9af6cfd37e7bd5f0b66cd408954787 |
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe
| MD5 | ee5a000b675e3c53e9c60ab20ffd0b10 |
| SHA1 | 0965d4c1a5bc2501cc79c33bc0b99744567d6086 |
| SHA256 | d347406950e42fbfbde82e6922be0032bafe852b3b09a016776bc3bfd2b1029d |
| SHA512 | a8d1f04bb4cfe6a61f4204863e8086d3e478e5a4df0afd0979389d6eb37a78475633868ee5d9e80aed8eb6cccb05f7c0e891c980836d104b94e3cf590138159c |
C:\Users\Admin\AppData\Local\Temp\WIAw.exe
| MD5 | b5ccb3171110ece9bcf540d87ee0f4ec |
| SHA1 | b9a4bb2ca45fba73e4359c55bf70da801b25c60f |
| SHA256 | 5660b947d4e11a990d0d1453b35be071e112604b50334691dbf6f58a25ba21d3 |
| SHA512 | d611b1f025d241157bc7950318d2db3ab21d44b662f6e49c60c42aa5c694c55d2e369387b94e3ca8877aa4f29ca37aca1953f635299fc31d818c01d63ff21228 |
C:\Users\Admin\AppData\Local\Temp\CMgM.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\uQIQ.exe
| MD5 | 80f10f6bbcbac1586e20868565e8c5ad |
| SHA1 | bd847009a4f75cac0c7f897a79114fde91ca9cd4 |
| SHA256 | 41262e91fab54d1a403d15e75f5d224e8736c9c5967e39be42cd2b7f5cea55cd |
| SHA512 | 6f51d41a922cb2ea915e476a75017532d26a3be2a35645ea5f0813c48226e3472692a4bd8d70b063943b7aa4d4f40b6fbc244c3cf937d5c2f7d2820b048100d5 |
C:\Users\Admin\AppData\Local\Temp\LWcQIwso.bat
| MD5 | f4e4fe5bd58ff273734228b76ee71cae |
| SHA1 | b2504a0ae1b959d006405aee78f7df903b3730be |
| SHA256 | 2d14beb84a1146b9d08a7a122b91651446057e797a6436497ab21e986fa3fb05 |
| SHA512 | 3be2d0913992c839391544cdd56c702f217dc513b26209f10d2ae5962ca6667061fd36cb69a45adefc5477d326b9ea6771d86e0273339b1a67bcddccc894908d |
C:\Users\Admin\AppData\Local\Temp\mcUs.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\YoQk.exe
| MD5 | c40081aea6ac79b2692da3119a36d919 |
| SHA1 | 17aeccc3e28246a516319f91e39132221a81165a |
| SHA256 | 0c2a249599b666f9f7515b04b06a76ddd4a3755c07f013e0f6aa23877786b99e |
| SHA512 | e0575846b3cfed4669de05c74e480205a83c36967eee8d9c997dd1d3cb94de21e2d831975dc5fffb458c538ab8eead048a1322b21230a2fa476b62d79327b819 |
C:\Users\Admin\AppData\Local\Temp\GkcO.exe
| MD5 | 1b118d33b91ca1485ccd470f39e5fa29 |
| SHA1 | 7ca28bacd1b206e1d1e1f4d9f54ea87746cc4c39 |
| SHA256 | a50a0e8038dd5ec2c26e09e7a532cba6d63b4d1af27f2eb9b9843fcc11af76e4 |
| SHA512 | 2225c4aefa68f67319fa5655ee07aa55016af1095724b1cef8f10bf944ca2ddde119cafcc703f150a70fc4edb559dcbfc844fbaf921f1ac3356b13b9e22e59ca |
C:\Users\Admin\AppData\Local\Temp\kcwW.exe
| MD5 | f2c36458f25c7c67573b26171237550d |
| SHA1 | 428d80caf46a9a83e722c49d715daa6fac8ebd8d |
| SHA256 | 0a117ab593e041d9d71966238f5b7a4a38f9ddb6ede64d4947caf5d666e78062 |
| SHA512 | a9ae9991f3623d13c1272feef39d855449e32d36474ac27971316090d462a982d1ad77d79a07e23fd34d41f1bd8971a4b0ac9a14e4c14ad597aa11278e0ac079 |
C:\Users\Admin\AppData\Local\Temp\yoMQ.exe
| MD5 | bad7e15103fd1645e1c562220b101912 |
| SHA1 | fd700c6c116af76a4931eddba3f30b60d61d308a |
| SHA256 | 4be2c364bce174d50a1258ac02a45eba9c5f6e25fd4685640700b648b343c1f4 |
| SHA512 | 7b7bae72bf199d1040153da10247f53a5f646f2fb881e4594f0243d0dd98c0d36a0caeb0eca589b49f0f982dcd474b9d9433110d5f318888ef57bb0c842ec7dd |
C:\Users\Admin\AppData\Local\Temp\Csks.exe
| MD5 | 9eb5bed7964ff549edaf8cbd73600a20 |
| SHA1 | e2b4bf315f6c9d9024ed5b3a5339ec96581ca450 |
| SHA256 | 9a161fba8b1f5502c1c1757f8f429e2b8af29272303c0dab31f9d2cf6b678b81 |
| SHA512 | 83dde93ac234a8d9f99dc862f2c9e5cb8408cfc07305701861ba682794e3553b2b2e8e0d0af9903e2fbb1620ef1b1510b9d5566c4f020041d25d83435fc72f36 |
C:\Users\Admin\AppData\Local\Temp\uYsk.exe
| MD5 | bd4e13179f9ca33da0e595b0929909a1 |
| SHA1 | 386cb0b35e8b2a4eb3f3968d264def4ce8ed7f05 |
| SHA256 | 50e9bb4c140cd91c35261606d590902b8f37bcc6490cea87a0b9cb2b1e81ce57 |
| SHA512 | 6d2ed1e38623af7e3e7260022ff8a00e04fa27b7e0b548a52d564723b030da44c186be617febca863456abd9e9dc34e93ac834449ebba49695a83ae6baf4e70b |
C:\Users\Admin\AppData\Local\Temp\CAYs.exe
| MD5 | 94d1a28dad54f480f85bf36e445b116f |
| SHA1 | 8a82136ee010f32f3514d9b6275e2e5d0657f678 |
| SHA256 | cc1dc5fa0a30ee02f79961f7eed3ee23799edd15f895243302880ee69ced5faf |
| SHA512 | d6289e212e5757244156b994aae7280010e5f4c7b36ffad5a02dec8da7853fb35263c4fbd6cff500a43fa020e1bade3305128bd427bb50959d7259fd43a10ced |
C:\Users\Admin\AppData\Local\Temp\UoYQ.exe
| MD5 | 3d66597df6216a6a81f3f4b3e7f688c4 |
| SHA1 | 2ddb51eecf25632833550437f4b209d149fb0fa7 |
| SHA256 | 4df5ac1d1e86744840254c13c235e097907bc7dced6c07a9dbe4c05073aace32 |
| SHA512 | cd1c71eaae2e53c588357083e50f90e408e40bce8bd57defcdfa5e80a07a57d9339d01a2cb29079b770a41cdc0736cc407714f850c150673c6fdb23c16b4c65f |
C:\Users\Admin\AppData\Local\Temp\hckoUAks.bat
| MD5 | 07b39008813b2c31e20d2c5ce6963f7a |
| SHA1 | fed24a703dcc555603999e95ec728242f64dfd1c |
| SHA256 | 066fcc87838a37251790a962b4814ba1696956e212d3fd04cd6fae71c020b820 |
| SHA512 | 570a36898532ba65fbd24f6e682ee6d687c384f72ad188b92dcb6fde5fd95f2ff2b3279ac394e99492ab76dbaa66f884d775028d499f20d895ece23a6fb64787 |
C:\Users\Admin\AppData\Local\Temp\AUsQYQIE.bat
| MD5 | c17eae50d353839ad7d7e6181a6afb34 |
| SHA1 | d5efa51e3673522a6f89a891809b6722b6649935 |
| SHA256 | 128765cd1ca5ef652722d8a85e689bb99f94ed232913130cb913eaa702371149 |
| SHA512 | b4237ef9d434e863eb352e9cd9ff3a0c761d78f2af97265c242139aaf2f09c91bde46f7c1a14e8e5c7039015990263f1e796d07e2e6ceeda0fe12e53e6c43b91 |
C:\Users\Admin\AppData\Local\Temp\CaMocAgs.bat
| MD5 | 42ea1eaf9f07755e59364e4d598ddf4a |
| SHA1 | f59e608695ce12ad05dde856c0546e7f4f557127 |
| SHA256 | 8e23f966aec8bc15e147b869f725b28461d5071fdd8297386a7ce1634416e4bc |
| SHA512 | e10d44a4ee835987ca705258e9e6527eead204705acd6dcfa9c6beede842c38b8b644ca20ccaba6d66a342a925a3ef4617594ddd5d584576cb133f903c4bf7e2 |
C:\Users\Admin\AppData\Local\Temp\GOoQMkkk.bat
| MD5 | b6891b06c3c652690bc10e55f49b9728 |
| SHA1 | 09c9be10b6a46d59497d3f3d5364e59280c0cc1a |
| SHA256 | 617d655d2b4b001bd7bb19750c291ebfcd86b7b7783c040b60249eb708f9adad |
| SHA512 | a48096caf34032625c5a58910b5e262477f3051d808fd1a5cbb470ced06cfaba6a30fb42fd4ab6e52ac77f4967dd65d0edbf77ec470624cb86eaad07473e280e |
C:\Users\Admin\AppData\Local\Temp\migswkQI.bat
| MD5 | 14cace4dfd0079896ab89776c95a6ceb |
| SHA1 | 6b6f1d12acc2e20605dcffe95f369089855c4d13 |
| SHA256 | 9f9ddc40ba8ced669fb29b65b74631db9e21525f57ea0fdde1eb24dbae303f88 |
| SHA512 | 2b6c7c752bb5e3a15188419870da780d39b95e546f8c37706815c1febca7f4527a33eecfc0bfebc915793cd036fffa0b94f14597f5b67ab98d25c15c409d8bfe |
C:\Users\Admin\AppData\Local\Temp\RMkYIUYQ.bat
| MD5 | 7299818b037d147011548642733c3b2d |
| SHA1 | cb6af6fd99f1ba62653c2138fe562eec63b6adb3 |
| SHA256 | 4e7bf5571d03146977b55b5cd2a7334693cbb2e5339ab17a3286470aaf9a19ea |
| SHA512 | 393c88938796605d75af8cfe436dfd428ca7c68385cc82abe0de6fd10e40bb3d7cf246559426e2182e40a1c8fade497e952f3e54b215c62fc2dbff02fb56d76c |
C:\Users\Admin\AppData\Local\Temp\xusccokY.bat
| MD5 | 9fd2471a23c461a082cb1225f84fb319 |
| SHA1 | 5351ae10e2b40cdaf5a483e70d7684bb72c76e8c |
| SHA256 | 2b4234c7e964eefba108daaa30e1ff9d63c0ff5934e212dd24cdd8a7312d1501 |
| SHA512 | 0c281094b4f0522023ad88adf615178ed5acab151136d1ecfbbeb062c88eaeab62ea3ccc3f471f98d24168c7e2361f7b9094747fdf6e24088cdf63be65baf832 |
C:\Users\Admin\AppData\Local\Temp\BSgQgAok.bat
| MD5 | 1de3d34fce1919938c742785d13feec4 |
| SHA1 | 6f3c7eceff1a0d8105f05e4424c3079f340c4d9a |
| SHA256 | 4fa5b5c06aa7830fbdaa9b5dfeec26e026d21d61a047c6484657746d88f7202f |
| SHA512 | 15f54f86cc1f2a9a69de2ac3cce6d4048ddf3d2494cf14047c996fab946c4f5d613eed19561e57bb558bf59e71c4f54fdecd2b7867efcd678b236eb9977d7499 |
C:\Users\Admin\AppData\Local\Temp\foYYMYYg.bat
| MD5 | 032f41a26effd0397c32f29b6bf5c510 |
| SHA1 | 8e7938c9ed3f0f5c0067538b8427b20ed5103ccc |
| SHA256 | d14d1a4de1aa1dcf0072017943fbb9add27c45a6691f9590adc917ff418c9619 |
| SHA512 | 976bbabe6e28e368f1a22008009c96cec6c0c623dce030653a75699cb03592411440fb12dfad994e8414bc80230b8a17c8504b9e08043539bebb1bb97ee39bc0 |
C:\Users\Admin\AppData\Local\Temp\oQYcEIow.bat
| MD5 | 27e155c0700ab6152ddb2632f590b447 |
| SHA1 | 721c0f69765f8a8869d26ce2e7a0d19daa18b75f |
| SHA256 | 3762cb1cd1f8323cc36bf2c646c4c96f30e73b81820d42c068763c2c9ebbb351 |
| SHA512 | e5e62c93ddf98154ed448649765bbf8b3168e3d7aeacbbfa71e339928a0b54b6bb5ab187c03d8c6a20d7dc6134fedab2ebc908e067abf48ac2eb6507ed258c1a |
C:\Users\Admin\AppData\Local\Temp\kkYMAwEg.bat
| MD5 | 19fddb332f487f0d76d0295fe375f825 |
| SHA1 | 21a98d944dc99f3cc319538be09315857883b420 |
| SHA256 | 679a45d72fe17ef29de2e51c04be2e20de1cf8cd5fecb22100d30d0011e8cf4d |
| SHA512 | fefaea355796749f043ad8d2e7d2d931463426f624f11ae463b49c0ac6805068f350c3c1cb6f2fe4f63ddeb734bde8c7d17c02b56cc9457ab6a10918c5158fff |
C:\Users\Admin\AppData\Local\Temp\uYEocEQo.bat
| MD5 | 41c0966c7c3b2fd64ea1fda0172e6566 |
| SHA1 | 07882903ec2cdb221578012e040b726d0ffe293d |
| SHA256 | 41469075af9640b45b54aef5b791a9968fb7049ea579e67290584c19cfb4ecfb |
| SHA512 | f7e81f139c5ef09888e5e8512a93c152fea0d9e2fc07c18ff3c3c05c82f6e4f3caa2e51cf9a7c09295708b183ec344778baa9d9a989628ee9ecafff2dee92bc9 |
C:\Users\Admin\AppData\Local\Temp\EuAsckoQ.bat
| MD5 | e0fdbd543e05e799a1b6b17279720c92 |
| SHA1 | 47aee3715686638b83c78f73aa1ec7f914a94971 |
| SHA256 | e72494aa44f2bbd93ed0cf3793eba23147f9ad3ec22043e99b952d209f3f4be3 |
| SHA512 | 76a2114835ba57b6cef4b2ce475baf42631619ef10d6df68a8c4e0a33f53870799ad245ef5f39aa893a4ab7adec94d7709d49e9e7806628cdcb121cd7c02cf4b |
C:\Users\Admin\AppData\Local\Temp\RacQgwco.bat
| MD5 | b9be55056a8ceedf42a6815a1889fa7b |
| SHA1 | 7c9fe972dc48c91c30f10e85eaddd3e2385ee97f |
| SHA256 | ffff5cfd3b8e4a7b16b375196886f05d56d09606a9cef4126e1df730b5612269 |
| SHA512 | 6b1d94429a8885462af80504d576d43c5c8884f49d814744f7e7f543381185856066bd8be79e43444e460a88b6b45339686c8f97ccaac487a3de0832170b1ddd |
C:\Users\Admin\AppData\Local\Temp\rMwsQgUE.bat
| MD5 | 8c3ecbc7a24449654cbe9f7fe96d35b5 |
| SHA1 | a931d949bbe98bb43f9fbfdf38567a24904a9419 |
| SHA256 | 82478e674c2e7fefd535fd32850c5cc9c41a254a4bbfe45ffcc9c4f1eafd77d2 |
| SHA512 | 51ede6c4a4f6f8d9e56def8e0775c32eb032e3029928d2a058e74a4db128fce3c34dc6f238bb56c22877df88d187f6f46341ee1ffa3aa0a5712f0dc316a0a281 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 14:29
Reported
2024-11-14 14:32
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (82) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\WYUgMAkg\TyAggkgg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\WYUgMAkg\TyAggkgg.exe | N/A |
| N/A | N/A | C:\ProgramData\jokkEcko\ROEMUsck.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ROEMUsck.exe = "C:\\ProgramData\\jokkEcko\\ROEMUsck.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TyAggkgg.exe = "C:\\Users\\Admin\\WYUgMAkg\\TyAggkgg.exe" | C:\Users\Admin\WYUgMAkg\TyAggkgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ROEMUsck.exe = "C:\\ProgramData\\jokkEcko\\ROEMUsck.exe" | C:\ProgramData\jokkEcko\ROEMUsck.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lIowYkQg.exe = "C:\\Users\\Admin\\mqMgcAEg\\lIowYkQg.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YicMUgIM.exe = "C:\\ProgramData\\ViUYUEwU\\YicMUgIM.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TyAggkgg.exe = "C:\\Users\\Admin\\WYUgMAkg\\TyAggkgg.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\WYUgMAkg\TyAggkgg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\WYUgMAkg\TyAggkgg.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\mqMgcAEg\lIowYkQg.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\ViUYUEwU\YicMUgIM.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\WYUgMAkg\TyAggkgg.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe"
C:\Users\Admin\WYUgMAkg\TyAggkgg.exe
"C:\Users\Admin\WYUgMAkg\TyAggkgg.exe"
C:\ProgramData\jokkEcko\ROEMUsck.exe
"C:\ProgramData\jokkEcko\ROEMUsck.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYsoIYMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEowMgok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCgAAsQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msgUgwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyksEkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgAEAgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsIAogUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSkkoMcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vokIggsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USgogQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyoEAoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOIoYAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAQIQEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIsYgIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeIMoMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQYMMIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkgUkMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icAUEAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyYwUkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imgcAgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGsEAEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcUQccwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGoQwwgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQMssQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUMEQUYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CssAoUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuIAYEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esYAMAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feEwIgUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqQQIgck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCEsIsEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMkwQkog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMUsswYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMAMcYsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\mqMgcAEg\lIowYkQg.exe
"C:\Users\Admin\mqMgcAEg\lIowYkQg.exe"
C:\ProgramData\ViUYUEwU\YicMUgIM.exe
"C:\ProgramData\ViUYUEwU\YicMUgIM.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1632 -ip 1632
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuoIYMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4084 -ip 4084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 224
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeQMcYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQoEAYsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUAYMsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koMogkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiAMgsEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIoIgUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMcwYIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGcgAMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwEIEQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAsggYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCMgEkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWgIggcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYQgEAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmQcEwsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUkUUQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYQwAYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAgMIoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWMoAkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqIIkAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGsIIAsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SccYcwEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKwQQgIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIEggsks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
Files
memory/2740-0-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3048-7-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\WYUgMAkg\TyAggkgg.exe
| MD5 | 020b7e28aaa5603f884499647d89b275 |
| SHA1 | 87d2df60ca64507ea212a1a0728722dbb4170538 |
| SHA256 | 2241e36607243927742bffb7e6f75c9b48fbce0f637cc355989ec59c67e63779 |
| SHA512 | a4d9e7fffc8769c00da78b01a7b488b325d2d01e7b82868a5af5e4d17a479d36c0284615b52686569a9f2851266bbd19cb6f5715172b2633bef8f1de9248f922 |
C:\ProgramData\jokkEcko\ROEMUsck.exe
| MD5 | fc8e880fe808a7e54a8b768a0042de99 |
| SHA1 | 8f39a38db9a7042ddbe982bb27d3b3cf1979928c |
| SHA256 | f2802e56bc99d30c77d4d550c5c2863edcd8903ccdd6dacc64cbed92cd51c29d |
| SHA512 | 07aeb3296ea028aedbca9104e81d4d5cf46070cdaecdc16d714689e0d7b1b0bb48f38d8114841aae49cdde7b4dca2270899a5cf4e88ddbe4903afca021898fd2 |
memory/3524-14-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2740-19-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tYsoIYMo.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
| MD5 | 8969288f4245120e7c3870287cce0ff3 |
| SHA1 | 1b4605b0e20ceccf91aa278d10e81fad64e24e27 |
| SHA256 | ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73 |
| SHA512 | 9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a |
memory/4740-30-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/932-41-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4184-52-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1228-63-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2632-73-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1664-75-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1664-86-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2144-97-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4184-98-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4184-109-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4472-120-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4616-121-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4616-132-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2924-143-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2864-154-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2732-165-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4176-176-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4468-177-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4468-188-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4756-199-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/428-207-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2840-211-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/428-222-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3624-233-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/608-244-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3060-252-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3632-260-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4576-268-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4952-276-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/5028-284-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1392-292-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4428-300-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3632-301-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4428-309-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2984-317-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4516-325-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3036-326-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3036-334-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2380-342-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1364-350-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4084-352-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1632-353-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2308-354-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4392-362-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4084-367-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3580-371-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1664-379-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1164-387-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3380-392-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4264-396-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3380-404-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/912-405-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/912-413-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4836-421-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3664-429-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3580-434-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1404-438-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3580-446-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3520-454-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3096-462-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1284-463-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1284-471-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4872-479-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4120-487-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3632-495-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\koEO.exe
| MD5 | e744ccb5d89708955314a82115732ba9 |
| SHA1 | 7d8cc0254b57f33f4542d056cbad6bd004ec42dc |
| SHA256 | 6433fecb0c91d17a5131b3b9e8020c59b018755acfab7db14ee423502d05a7bc |
| SHA512 | 167cc5e9d9020efe3d65e377ef3e22922b0fab216742d864cec34f49158516d6ebb2f37c6ebb41505435e62e2fb732ecfcf9d853595f807487da92f2253f0eb1 |
memory/1764-519-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4764-515-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KEoy.exe
| MD5 | c15f4fa742528df97bd4a76ee869500a |
| SHA1 | b713e6b996cca6ed3430304006d167fabf57450c |
| SHA256 | e6b84e3fe49d7877224c59f3355d95ef5a30efe6b9d7f4861b950522c38a7408 |
| SHA512 | 25c9be5674c1ad9f411fd40509c29e36c5ab328c43f2c7a2b9191b6642f18397b802983ba3ee3d29d539b5ab166bb2bc07a07aff053e319c93dcf0a13d552ed0 |
memory/4764-541-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mMss.exe
| MD5 | 56f0accce0a7479c302f995281ab58d9 |
| SHA1 | 1276de3c3c31e0dacfb307f995141be32b6b3b1b |
| SHA256 | a7609552276e02a76960e3791128a2dcffe87dfb66fc8cd2ea9c97f7d812b5b3 |
| SHA512 | f6444b3b01c0a8d6c2ba9e6419ecf75ca85e3d9ec5074b1ad5d86706552c43276a6d4e28b352e47ca84c59f7de1cefda617147c39b14e3d4895784495414d275 |
C:\Users\Admin\AppData\Local\Temp\qQIq.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\gMsq.exe
| MD5 | 4d77c6f1b1f2e1c8998b016e5bfb2fb2 |
| SHA1 | b76d525968b5e5876ec1927235c1cddfc682da37 |
| SHA256 | 76c9a141868454ac9dff74666654f110798bdd25dca48478d16d5bb454a9e838 |
| SHA512 | cafaf4cacc43c700fa3abcb5792b676370e5e31b18213b8a3d56440732bb7157227a5cfd0d99524a78a74f197591dc8e5c5841a629fd07719c7baa96de0347af |
C:\Users\Admin\AppData\Local\Temp\CwAu.exe
| MD5 | 0ee2546c554bb836c2c12a5316226592 |
| SHA1 | b2deae607103f95f54860ef4538b510347323ccd |
| SHA256 | 9c217eb7577ac38bae17febd9326da4c422143b037befa578b6e98fa6f26316f |
| SHA512 | f30b110c95d6c81e10e901dcd7907633bd3d8d8aa7c39f7547ec9ac996841e8f18990eb5433ccc9685fb7bf25e098e33eba613cd23b076c554dcf731bf469e0d |
C:\Users\Admin\AppData\Local\Temp\aUMe.exe
| MD5 | 06039ea324913efb0f46876390f04554 |
| SHA1 | 302ff8dd19a24a668bc1587e6ec1b62ce64f6c2e |
| SHA256 | c375c75f5059a420781b5e2360adaed536ecbdf1414cc1c6f2bcb1c13805213b |
| SHA512 | 227c8ec1127a0cb13177ea71d727bd8d42a09efb41492ff05fca2816c68fb72e70212255b32ffaa6474483d9fa38f919fb4461511368be94babda762e0d2f37c |
memory/716-606-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1560-602-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\agUc.exe
| MD5 | 778e903ceb260f80cc13fc1e34daf76d |
| SHA1 | 371227e8aa3e67d65c29a94dfbffc8c54664cf15 |
| SHA256 | ab4ce68371674fff13a5fdd15509630cdc865ecacd653cc508e5f0523970c728 |
| SHA512 | 51b9150de03f47dfcdee8e8e28f399f8c804da38409242c3202336382ca5579bf3884086dc1e82c15e776d06b40125d23c5afb54c8979e010bb664bcc3537bc5 |
C:\Users\Admin\AppData\Local\Temp\yAUi.exe
| MD5 | f6a7c68d50d529f07af8e5d04e36b943 |
| SHA1 | de1665ff8b5c8ccfffdd0e31987aaa4811d8fe26 |
| SHA256 | 31e5f1d0e21deb41e9f558d8fb03d9df197452360f94ac3759fabd7b3c24c008 |
| SHA512 | ebd4d40edf183bb025e9f2990c6d5e76653cf684cc6130db5953a7dbeceab575b2f250f5b6942d5f861947f77f7324ef62b36bf33fc9a03f8ec1037f69bd9283 |
C:\Users\Admin\AppData\Local\Temp\ucIc.exe
| MD5 | fbeed85ba4d9fe3aecae688ff02a0367 |
| SHA1 | ca4562fa6eb974c0362a677f31768dbf41072572 |
| SHA256 | 4b4f4ade103b2e89fd46e5953ba6ab2547720bdfb296a35dbd42328f5129cc8f |
| SHA512 | b690145218cbb367ebcf16d174561ba1aaefa69d725d4d9f7fffdd7a4b2f46d20e31ce6c30ff9b081eafffcd66f8bdb126dc335ee93f730d2b33087f5134d7d8 |
memory/1560-656-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oUUo.exe
| MD5 | 0d3ea61c4bda86a8490b85872d5bacdf |
| SHA1 | 13bcfdab05838f3a812206bc42faac577da0a580 |
| SHA256 | e3fc4765080d423d7e91261b467f6762360d174bfaa8c41a257cb2e366a701a1 |
| SHA512 | c78d3e8d6e726d14a904f53fdf36eddb64af7c966b2261ad3cfeaad35dba6a34fd17aca3b61364cd9b7ec03026e80dc9de7668a789041e4edc344f9f51633df8 |
memory/4432-672-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ucoQ.exe
| MD5 | 91b08c31018a085fed4979adbd665ab9 |
| SHA1 | 3f24e06308c28bc5ca1a91f5cf3fa587d35a0065 |
| SHA256 | c03110c91544855b6ac9994dd4d93690195d2d2c106c9935d586f4fc4a67f6ab |
| SHA512 | e27e7bbb197ec9803960fa808ac03478a4388b53feefb515283b16b45061df06b5de24430e1233ab933a1cc6f4a63fedc686d139945959e90a1b517fd5d501ca |
C:\Users\Admin\AppData\Local\Temp\KYUQ.exe
| MD5 | 53c5a7b65d258337602503f072ca8801 |
| SHA1 | 59ce7d428a5268e08220d5c9c07dbdaa9278d09e |
| SHA256 | b8391890cc7c5911f82cd0f13322ecccc6a07e82174b8a6f08107a4e16197659 |
| SHA512 | 31bc748b988f3c3e1b6d2ee81ca5a6efd3b4e08446b894af15e08161c3d87f6e20ddc54a987876dbd7789f5a6a311b3e9e73e90221083ab248ce396c73dac465 |
C:\Users\Admin\AppData\Local\Temp\kAga.exe
| MD5 | 212d34abd6571f8456471b473b4f646e |
| SHA1 | 9520d4fefc6c6ff11b959b37ffe794df79901e8a |
| SHA256 | d5f7a3ed313d91c48835af1e8f43155353320bf328a08a92d08d4a8822ab9bde |
| SHA512 | e22f048fcbdf3fde5e5b91ca524509dca4346f67a37a0e105c1a25092ed6451660fe8024de3fc8982b6573cbb12e4b78392542fedb6cbc69c073cfc7cfa47f86 |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
| MD5 | d7a494127605d6530e3596ff7c1eef6a |
| SHA1 | 1cca25f991951e51b111694ba91ce27f67a639b8 |
| SHA256 | 66da558a52f06d1dceafd42931509335cfe3514e23129f7cb6ec38dcffc38214 |
| SHA512 | 8b2ccff7fd56aa11369aceeec73cac6b51cbd350b7953e13cf7b6b1466189d016b5e284f8297fd6eb4313b1b37e98c090c9f4e17cd28132cc882035a30bc85ac |
C:\Users\Admin\AppData\Local\Temp\SMsq.exe
| MD5 | 077beafa9ebbf98ce73d4dee33b24688 |
| SHA1 | 1acb95466030a7f91ccfddbd247a0f25c6dc09eb |
| SHA256 | 2731dc5820a7c9ad866bdb76511f8dfb48ac7884ae02a8bda0f0a918aea6d8be |
| SHA512 | 78c0e9f1fddaa5a5de3a2445d5de80651afaed704f6a7107b0d738a80e3cb6c3793663cb69a184b72faa0b0bd2400fe7dc4fdc6cf0a297311160659e54743249 |
memory/4432-750-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SooU.exe
| MD5 | 5821ed939c8530f303550d2f19941529 |
| SHA1 | ca738951b17e087fe735095c0427baa4ad8b3c3c |
| SHA256 | cb78bdacccc63b8fa3450203f629b2897a2a5f7671ebec5f2cf504b40b992897 |
| SHA512 | c620d28de38f5fadc5173753a3f9f2e1b0842e52ca42d1a1f111ff3cfed04373e45a1f0993063905692570ba378f7eb34f4aa873f5aa7ebeb2ddff8f90704b82 |
C:\Users\Admin\AppData\Local\Temp\cAEU.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\YQUq.exe
| MD5 | 91a1aa1f477a33c85ef9f4884aa4d923 |
| SHA1 | 1199e5747b289f92868f1fed9736953d78f8dbb0 |
| SHA256 | f928aac51c64e8ec4838414a8220250b1e51f50e57d67e9fa927e6999563fad0 |
| SHA512 | fdba352e5af041751ef830a5681a6e78f7f9f6be527cf6f4c9eef5320aff51672274e3bd82ace45f5b3a5b59c567aa57d6093145c0bc788e23ec9320a9973a19 |
C:\Users\Admin\AppData\Local\Temp\ogwW.exe
| MD5 | 7ef6211ed02bf83c3252d500c6352a6d |
| SHA1 | 7a28f118f4360115b5b39e6100885b7f06d55618 |
| SHA256 | c39f5862370d8df57dcdaa2938c27c2440d319ddf03e2aa33ecd06b51f799c60 |
| SHA512 | cea823778247143a257f869d1fe8d6b828c3e9781758e6d3a30353694fb0fde1477bfc06f4fd8482f5391f9e39d8755fa6be769910a05bb311c5485c6a753415 |
C:\Users\Admin\AppData\Local\Temp\issw.exe
| MD5 | 09719b7148bbcb095250afa3578e2880 |
| SHA1 | 5c99f43f0a00ef72e85c657f96ab1c7124b7d61d |
| SHA256 | 702c611bdc1205dd4e93243acc041b3e05b22471e70971044d348029d9631b5c |
| SHA512 | 6a3a3746f1d8ff21787189d111827b78099187b370138e6707a8d31f365b292a268d298802388e4c2455f311606d4878d25f98dd7aaaebdf735184e60a00658d |
memory/888-814-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QkMe.exe
| MD5 | 29e36c191210b789752983e02b87e7fa |
| SHA1 | 43fbe2cfdac76cc247b55364870fbc4fc777cbb4 |
| SHA256 | d0dcb0e311cded4b6d335712fa6cb549e6cf2805cc37429f102d1c8a68007c18 |
| SHA512 | f7f934e3e646be1c29c6b8a8b0ec22d46e8ae80ccd642fbf3fe0b43e37f1742de8ae2f494d9d489ca7eeaec66c6ea552d196a105160fd708f208f21b64763066 |
C:\Users\Admin\AppData\Local\Temp\yYca.exe
| MD5 | c1c57003ac1e8b845c94443374dc16fe |
| SHA1 | f10b00d339bdf49bd793a390c93de7c984b7d715 |
| SHA256 | 8df88b617dfaba6033f1181cdf6fa63f2bd77072717d5fa6b8c23cc0c882ea60 |
| SHA512 | 8535f7c7769ddf4cb81aef5981dbea3de0f90e5a263bb850f2a47c1fd2b358c706ac09d83ecc1c28a8a4f38d8a3b107b3e20cab5065fc136b54ea3c1551672cf |
C:\Users\Admin\AppData\Local\Temp\qwss.exe
| MD5 | 164aacef4a2d9be84b255deda7c15fb7 |
| SHA1 | a45f6aea1bf7797e7ba76a727700a166e68ceb58 |
| SHA256 | f7ef2400d182e1900905ecf94735e460a88dabc24227926576fbd877c68de59f |
| SHA512 | e4a29d39e292ed247180f9357855624274f7d7c6a8e2a43e3b2b7df28c76b9c6139567e9f1956f1529e5f308cca0ea310ca5c304b2cf90a073cfdeb501d6fe9f |
C:\Users\Admin\AppData\Local\Temp\OoUe.exe
| MD5 | f9de03fcfe7b188db692a27a8ce6d1cd |
| SHA1 | c22e530e81fcd3c23933b892797b5bf548761126 |
| SHA256 | f7950eb8201f195b3709885ee346951634d454c3e0956540d1dc89bd618d922a |
| SHA512 | d92145db10ee7c986fbe07e0a3a631c0d478330582b3b36760da52760c984ac985b6cad0ef6e86b7320b3fcecbb060f8f9e43b23c6e3b034e477684cad79005a |
C:\Users\Admin\AppData\Local\Temp\oQsS.exe
| MD5 | 369268d2c48a8b6633ba76ed8822dc42 |
| SHA1 | d16c2f366a32035f3fdb13be1149f70d8270bbe8 |
| SHA256 | 63bc49afbbc6c76848cc09eeeb90ec6708e97b3e76f67bdb66f8474d5c92ddb1 |
| SHA512 | 8f5c1688f77ebca3d693cfbfc821f7e75a6a8120372bac2a705833f7056361bbe8cb849ed1f99df1ef7b494b8ff64de0f1f6a7cf71ab9f515e3adc9eccff05a5 |
C:\Users\Admin\AppData\Local\Temp\QoIg.exe
| MD5 | 8324a86ed4099c6ad8ea8af5210fdaac |
| SHA1 | 3a5c31534e4ec1b97d383bb17d2df11fbf82f57c |
| SHA256 | 5a9a0da6f5d1bf573adbf239893018b26dd4807fbfe0a4190e482c079e7fb581 |
| SHA512 | b616b1b896d10053d408b1b6dfa861184ef8f20a6f489d1adda7fa34520e33b351481f4b8102bb597786b843e93b0bd9a2ef593f50e5041c6f43674435a7eb51 |
C:\Users\Admin\AppData\Local\Temp\SIga.exe
| MD5 | 40917b3fa82c8e9456f61f986c581726 |
| SHA1 | 84baad9ad75588dfadf0203fa3b5bf44be6d4ac1 |
| SHA256 | ff581e16ba91dc990d058fc37285fc12b589ba1c8b5dddfefb6c9f909bb3e126 |
| SHA512 | d74c483cc77ff744b4c1844c5538fd00025b1dcdb8bdf4ca8704d9efd33785e6d86781e26e7f6919e4c8d13be7335500348163df92e763ac91d892d0a2a27012 |
C:\Users\Admin\AppData\Local\Temp\CEgy.exe
| MD5 | fa92c5b4b0634b75d45d792181fdeb3a |
| SHA1 | db12922df83e9f95905cd925ce71500b90ce9915 |
| SHA256 | 25319978a5c99f769dd02c4f0f98467a69c566c7c41405faafe3759be014d924 |
| SHA512 | 8bb03acc78a39b8df142c83762e6e8c1b7e05e3d3b54abe18738555d109468735539612d1e1e9218d90f8882d50e13002dc47a7defbcedad41fa298fdcc19692 |
C:\Users\Admin\AppData\Local\Temp\GgsK.exe
| MD5 | b2808b343df6357368cb213082ba0232 |
| SHA1 | 3d387176d481bebd3394c4cb40ce321655109ddd |
| SHA256 | 153a7a5d5735047a373c4a148ed4e9560eef592b4e37b4c42a63ad775e5fe21c |
| SHA512 | d736087d7ec21d7240fca7e001be298fe418bee37b066a5f1922937fac23dc83d96e8ce2e500e48aca4c281b27cff4402ea99af8d76025d6a1c1e0519cdcf6e2 |
C:\Users\Admin\AppData\Local\Temp\aYQK.exe
| MD5 | 59cbc7c4e4fc1b2d790d8357e3922e98 |
| SHA1 | 7d0b3a713232b6eee30dcb05dfcf39d97885059c |
| SHA256 | c22b8560dd0736f78253d610f23d5775752a70bd7522c6e8386c2faecb082c86 |
| SHA512 | 4b89804db5d981acf3f0ce3af247f05eecf2ce324fe288496d4f38b67a5b2520fc6d3d0b2f9180819eaad9d4eab5169bee0add94f0e4dc65a35223c50e0c138f |
C:\Users\Admin\AppData\Local\Temp\ccoo.exe
| MD5 | 81910edbf5c6f98c54bc6a7613d12ac0 |
| SHA1 | bc27b5be9dc53f4b2cbb785119445cc3d4a18dd5 |
| SHA256 | 7fa647215f126dcc4d0e70094e36146ad9a10525b1bbbd9857b75158e6dcced4 |
| SHA512 | 620e31d72a714163171acbc2dc40a50b5d2a0264bf5bba09f6f3933391e31e4ef06c6fdfac1dbe58901da6c321300fcf3742b9d10dd477f96761382364976b1a |
C:\Users\Admin\AppData\Local\Temp\CQMK.exe
| MD5 | e0b02b007d4b14200401a4a2667bbe0a |
| SHA1 | 4c501296ebd51d984f5ab81fe3c2f8cc004c1cc0 |
| SHA256 | 441f1eb7465f965ed144cbd1962c6e1c87551cd70e8f85f090b2679f4f31fdf5 |
| SHA512 | 2a06c4d7f18734720cdcf1b9758b5c56dfaf15826ddd80e10b33997096890d36010d0615550daf94e27e84715eea667e39caecbb358dd369aab8f8520eb80665 |
C:\Users\Admin\AppData\Local\Temp\UsUw.exe
| MD5 | e49146c112869250e2c7aee9e783fec3 |
| SHA1 | 8cd428fc60cf168945f98aab3e38e8149c525f81 |
| SHA256 | 7c30797e8905d7f84513454c1465bb04badf1661883e034a0cc48b89333138d1 |
| SHA512 | ebc9ebd398f7b44ba1d49cc1c11e61b8c5dcccef73b3f0b38099f7cf2bca6c1ea256d843e371322e7e0b1f377db6df5eb504a7e17b59a15f2ed86b6f3a754711 |
C:\Users\Admin\AppData\Local\Temp\eQwo.exe
| MD5 | 0de42fda6d86dccf24b1fa080a5513cc |
| SHA1 | 472170c3e5d96565c307f844bbced8c1983abb73 |
| SHA256 | 44feafdf55fd9d788619c129c0bc8bd81776b49bd71d042c5c39037b4bdc2c58 |
| SHA512 | 277483bc2f6e8ce1d0d716af830d55675cf238240bdc0ee25aea2feb7405608df10cae771ac2b1cc865ec2057c61378a2f41b8904e1be5c23223c26b307da7f2 |
C:\Users\Admin\AppData\Local\Temp\Agcg.exe
| MD5 | 640ac432b7948b500ac5bca5c119b163 |
| SHA1 | 821189fa8804f2663f05132e34e5e7e8ba55b6d3 |
| SHA256 | 90a3488a6c6d21118365d629815f7f9106d23adf0d91343e2898c4e9ce8811d1 |
| SHA512 | 56afd4f3d8d5663c24c4451fb872bad6793682f2665891d821af7eb6508c1d85d78f385173ea619b8e44700729e2341e1440cd4d3d1ccd8fafd7786053f73f39 |
C:\Users\Admin\AppData\Local\Temp\eUUU.exe
| MD5 | 807475649b79fc9da0a384b6b86646ca |
| SHA1 | 6b835c1b49c94380dd5fc3b4da03951415c1198e |
| SHA256 | 475366b3399b6b802e84ac17752cf064573540e1277caa97e815bf4add00d3dd |
| SHA512 | 315ef0b8cadd70aa95ac026177fd382afa0f73df10cd1e8d3f82cb05007288f59b1ff446790fc4ebcdf1d012c43b331077923dceede7b8b2488062d8a3fca77f |
C:\Users\Admin\AppData\Local\Temp\KgoE.exe
| MD5 | 8a6608007a81e3e47b065a3d21a73019 |
| SHA1 | 46e04d52854566e2aee1c56fe4bbc31c5931e6b6 |
| SHA256 | 532250337b5eb75423400a5e824758eee4d465d8495fbc89b79a68b91becb3ea |
| SHA512 | 723195998265700c6c8c25aa40d80cf38947cb18226372e48dbedcfe232edfc7db6b0c8231bd2bdcd1a03d52c9fc3d0606fd32fb7238c3e74b444ba860910629 |
C:\Users\Admin\AppData\Local\Temp\gwww.exe
| MD5 | 5123ff7fc4efe563f7a156120513d414 |
| SHA1 | fd0139c8c8c8e3b99401f10bb19303274916f1da |
| SHA256 | a0e352624f15a2a33f8a0b0e97941b9fa223ae6f4308933e85b15f5fa969a60a |
| SHA512 | a309a11d067a3d22afcdce35a087cb6c6dc0997e6e75dd38b63ddf51bd4802d9d1eec7cd0b4e4345fc0135d9fa9a91b5f369527004cff354f95934154d5e4985 |
C:\Users\Admin\AppData\Local\Temp\eEQM.exe
| MD5 | 1ff29ff3eb4ebc69ad7a705008f24fb1 |
| SHA1 | a88b87b47fe40e95bf5c2528b81b12505804f38e |
| SHA256 | 9d16f2b18305370eaf9726e1b1f4bc72fd19b2faa295df700e0e016459b12204 |
| SHA512 | b56887e53dad484438b479868da41e8049a8ddbfc64c6347c1d6b86b361de5362d5a5af938a82aedbae40368ef3d3e89c7255ec17766ff339cf7541b3928f937 |
C:\Users\Admin\AppData\Local\Temp\cgYQ.exe
| MD5 | 3908ccdd798cfc3124da2a77e19f931a |
| SHA1 | 763c223fd7318380f43009f20a13686c209ddd1a |
| SHA256 | f8c75cdc7501c7c9bfac3433aff183670f363a0703ce74ab861ef1faecce20d3 |
| SHA512 | 54fb7066e1060d68a073a52139aa5d823aecd35f553dfa15fae0dfa5ef98bb6aa917cb50625ccee369c6e65c52ecd23a258adc8659fef3fe2d525f441f81f224 |
C:\Users\Admin\AppData\Local\Temp\wMQc.exe
| MD5 | 6ee7683fb27160ec69eb2fe85db4f9c2 |
| SHA1 | d46172e943d60a402266e815b21788b871ac3005 |
| SHA256 | 461992507c093b7f2f27f1fa836b8150a077c17c90de3abf59c17200050f887a |
| SHA512 | 1f6cf5822f85eea0e5d898950a4290e5801c57965bc197e29fe6cc1d49e59784b14f840ee1cdbd85b7303bc87a4e36589b686195cc595e16bbbd14bbfeef26b5 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe
| MD5 | affb493d4224be051ec87d5440764cf9 |
| SHA1 | 298017e8aebbccd8b76bd01049450f06ebd02f04 |
| SHA256 | 6031ecc413e06b110358b01a488b7142bcb5cfc5ca37fa45f7bb4ffae3f0d515 |
| SHA512 | 739709fc4ffbb36adf48c67fe6533c984e6e8c0d88faf3fe44fd342c5ad443ed976bce0d3210b8eb7fef4f10e540363eb2c674aa64cfae621051807fc6d786b7 |
C:\Users\Admin\AppData\Local\Temp\gQcw.exe
| MD5 | 0ebac7cd0af21f8677370b8433257811 |
| SHA1 | da65be7522f3f3da10ba39f5a53431a4d01f5511 |
| SHA256 | c2306680b7182e90b3579e85217696accc5d9f3a71f655dcf75abc9613dcb189 |
| SHA512 | 8851939ce6ef753da89e446ef6f04dae6b731b583a903cbf9c3408ca81b628d8c38148cf1c55b1fa76fd90686d6d6fece683b45c20334c6ab73f90ba9545d879 |
C:\Users\Admin\AppData\Local\Temp\UMoy.exe
| MD5 | f60b8af931c693e50fb2a6bbf8ccb7e9 |
| SHA1 | 4a5feaf1e3265a4ceae8f577d3254ac154fe9264 |
| SHA256 | c9b72ddb33fddd4636652b04fff923101d6e172f492c546b04f48a4f31f6f29b |
| SHA512 | 6076ef25c5525aff5c4201db661adc83c4a01a52b23bbacea67bdf62373232cb345b1ba8c35af78a52b543c24fd9a35933da9e7a00ec5a7a6918570187bcf16c |
C:\Users\Admin\AppData\Local\Temp\oYEU.exe
| MD5 | 40cbe00f542e7c00d0cd2a33bd61876b |
| SHA1 | 4c8e7e3d257708a70d33edc145b585c6d7e1d79b |
| SHA256 | b20d66f78480b4517c45aeea83a7a826a89bb9425acd3ea9b6120f1ff5e3d06c |
| SHA512 | 9f9c78cdb676ca2035946b81dc8c674080b8abff2e0da9ab5bc39172392e8d77264ee3fc1ff3989fb84acf10236050386997c6b501afb191e38cc8601ca151a3 |
C:\Users\Admin\AppData\Local\Temp\Scke.exe
| MD5 | 6598d39144870dcc088da21051ccc0fb |
| SHA1 | b8aba4621658bfe0dfa2b1b1faf5dc68fac39f18 |
| SHA256 | ec3e0db47ba7bb8891cb35c7cee32a29b6315d0fe59c55e935e1874df1ac89b9 |
| SHA512 | 5f417e838a19716b22ee9d637c251768e2cfc108efe789ce00e8bcf35d247284c1e7e49c70780b892b995f1ca40b6a35db136c03be9b3993581de9aa274fe6ed |
C:\Users\Admin\AppData\Local\Temp\wUMQ.exe
| MD5 | 38eb80e92e8f50b2003f3d934c22cde3 |
| SHA1 | 6802800b28863efc41fd3bee86aab50819b1efcb |
| SHA256 | a4fd84dfb52b1f51f30cca070e81fd70835817e42be847a9c3cff095b539f7c4 |
| SHA512 | e74519f1ce5cafa742df38964bf4f413a309aea0fba1c7e243fbcadf81a4d8cd250be14cef924462ab130468c13851f55bfd64fd1c8eda807793967f3cf7126c |
C:\Users\Admin\AppData\Local\Temp\ksAC.exe
| MD5 | abf63fb03ed6f785dc83e07678a33624 |
| SHA1 | 251b967518ee451f889cb95a2b59806b32254d41 |
| SHA256 | 4c784e3fbba26d607f63284ff15d3d4349a0b36b6e9efaa1971d825ce7e806c6 |
| SHA512 | aaa91ec4315309d503ac778e510082a7ce569ca7919020dc9da87d2882cf51335e1a0187008ff024eab3b5dd8bc06fac9a9a74fcc777695868f09f5a669a3179 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe
| MD5 | 1a07d130fd5f8ef30ddcc130b04a8696 |
| SHA1 | 8dc48b53ee6002e6b2f994e0222baf85bcf501ae |
| SHA256 | 686712ed079cdb49cd86f742a7f9e2c6e417bda74024b259baa17376414324c6 |
| SHA512 | efade4375cc4f5f36096a9eff86b57eb001fe9d1bbea1e7fcdab99ee4f05560dd4f581366eb52300a43e30d8990ba5ac9669404270e90a5145e8f349ec65dc5c |
C:\Users\Admin\AppData\Local\Temp\KoIY.exe
| MD5 | 6c736238274eae08e0efed61a1b1e76d |
| SHA1 | f7730562ee09d7bf1869b6cf9204b389f9c98adb |
| SHA256 | 21d50b4a7efa05562a9f19dcf44eb6a1b59aa7644ed3dff484371ea35a3ff295 |
| SHA512 | 1fed4d25d13eba6171810e3a83fa4e7bd4bbcd5447d50df7d7ad9148a57941c3f98f48f19651d84db151f513a92152fbd88267adc2004b375a0351998a1320ae |
C:\Users\Admin\AppData\Local\Temp\IQUy.exe
| MD5 | 7f4ecd9adbf0e1d32502133febdb0d70 |
| SHA1 | c06a85a41cd92a39880f4e2b1c108d358ff981c3 |
| SHA256 | 9b7b0d9e5f9c7b81ddc024ec58833d230911c2d864067fe1b6d6b5bf95f1ddbf |
| SHA512 | dff4ffe7f01326744b43b55904601892b479f3beda705e9a1d8b5d46cd93fd8978201f1279afcb5a8d5a6ed4e6e4d80dc1603ce94ec03df00f6fd46935de7f61 |
C:\Users\Admin\AppData\Local\Temp\GEMM.exe
| MD5 | 1478a7d852fdfd88c3736feab93ae438 |
| SHA1 | adf3f42d8ba2ab3e8c91e89260191b35a95f8ffc |
| SHA256 | bacc59537b8ab67dd0a043a75c32bab2d263496903321d091577ad16652f544c |
| SHA512 | d88eef989699c0194bda1f98bfdade0932c016d99e68441df41217bf44df1b8bea5459df0eb31cca298a64c747ef7501b0a303b1180210e0c255a65d2061b55a |
C:\Users\Admin\AppData\Local\Temp\CEwC.exe
| MD5 | a726f0532f43f1bb3b2e7ec7bdad8507 |
| SHA1 | 6c95e481dc1d82ba765633cd91073835ac038007 |
| SHA256 | f4e711c8bd15f8f50bd27a1de9cb8d39b681804b48cc1c825ff3498e999f932d |
| SHA512 | 709e1de5f89760a8e15fbfaa82930215cdf08fd55cd9834a697566a364a2a6f06c98556a0141978dec0585dc93901bb5f9b46f59da4398bda8adc129239ff73f |
C:\Users\Admin\AppData\Local\Temp\qwck.exe
| MD5 | 9c0d8be291c19b27f5d20055c57b47e6 |
| SHA1 | 4d82d9786f7b5b69d1cf75b727c20ef77f0e98ed |
| SHA256 | c1b7efae1610154355dd1f0d51cc1bb246298efc9939ed207d45797b6595bb4f |
| SHA512 | 03910b69484e1f1bcb0066873c9559ccc2fc9f4f48c11a70bedc05b7e44f88fb4586076a8dfa835fa0ebd1bed83511f679a3318347d6767cee3c6496d4bdd357 |
C:\Users\Admin\AppData\Local\Temp\MUAs.exe
| MD5 | 36bec80ce16087131254fb9e1a96c934 |
| SHA1 | 87df6d62dfd1e96c64f42a5eedfe18a3b515c4c4 |
| SHA256 | 012e7977e8b4d431000b6cfcdc91f6a487798bf9cb15f1b3f918ce47e41321ef |
| SHA512 | 04b5a47c1b4265257eba0e2cde4d38c942fc20fc56a4f2cd0a889cc48f8d62a7d7f549de113dbc3403404153c08031fcf80e7b6867eaf35a158317ca5597347d |
C:\Users\Admin\AppData\Local\Temp\Qosc.exe
| MD5 | 5a60e132162c379cfe4d657b454fbbe2 |
| SHA1 | 792731cb5ca825f1547f7d7dc1d07b0a21e43b84 |
| SHA256 | eec6ea0c345d616aef0576821b0162e3fe74704f7e90e96adf8ddbd31c82dcfc |
| SHA512 | ad4430fc75b28e211adc9918e549a0e16c11c15044729038a94edd94951a8b791c912ac06ea852a845beab3394009b710775908456582b4fa9290fabd6114142 |
C:\Users\Admin\AppData\Local\Temp\WEMG.exe
| MD5 | cb7950b42ed1f922cdf00b7f3e32ce67 |
| SHA1 | 36e42c3b7949af727be75c37ede7e883ff4fda05 |
| SHA256 | 9d15ec3a9c07db90f8d349cfebad726f30ebee5bb6180b676a9ccda390426c9c |
| SHA512 | 083e058528c751cdc0f7f499b52b29751e0238ccf1e05e0a3d9e3f3d1a5a4acca7e577535810c622c09cfa952882fafc99db1f168d6ac3efe3a80819da7fbdab |
C:\Users\Admin\AppData\Local\Temp\IQEi.exe
| MD5 | 18018edc91d6358db49b3fcbce3a3833 |
| SHA1 | c8678cd3ad6cd4516a30e0db301e1507b4cbe001 |
| SHA256 | 73394c2beca735aed1a2a7e219e7a5d1fb9db671b586b324e887206057296240 |
| SHA512 | 52536af6fb1c51a4e3d54870707a3f45540a3992d79c3ef219ebdf5a64554eda5accbc1178f8ee8990e1c5ed939955a255b7625ff81f8bc15eae9e0cb002ccb1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe
| MD5 | f310ae8b1e5fd0658bd7d67f38389b2c |
| SHA1 | 0176d201567d781c27a86b37c82a30c6c9ed651c |
| SHA256 | 86eb8d45083ee11a5db0c3efe63e0cb3e3db776d229cd5619c089e9d5638ffe2 |
| SHA512 | 36314a4cdf97cf512a2142f0ab884497d3b44b5c8df1cb1439d3122c64e6d3c929dc034c3c265b578ad1d6548e3db1b68e66d0b8787400698c0cd73f72093491 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe
| MD5 | 67a0e79d8b91412191bdb0804e7d81f4 |
| SHA1 | 5ac38caf0cd61148a81f922b3a52ec586cbeb4c1 |
| SHA256 | 9178d1685b850fb5c99ac1d8bcdc491e4bdb0db757ca2955e1b469059157bf83 |
| SHA512 | 037eef889e8c74ffa075d5d07d490c4d9d4f6b41e3ad05f9f6bfa1c4b5e16c90362620353360095ccf4d4792e78112ede5ca34dd4619d1c9986e9a1c7779b5b2 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
| MD5 | 8d2fea5cdd8910f11175bec6a098ece6 |
| SHA1 | c6967f92036ee87f854532d35a948c6537ef74f3 |
| SHA256 | 5f7dbfdd4fab296157867d106346b90f20ee20827d53a57bbe6d3ed5c4d7f9c9 |
| SHA512 | 1caf169300fbdd8e137d5e85db36ccc3a0eb7d9b05f375558a9e1786747cf8beeeef3721b6a44cd6ff6e001d04f890bba7fb6a93166ca19dad88c47b6e116273 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe
| MD5 | 75315beb5d9679e954ec537ba7816c76 |
| SHA1 | aaf2a2874b6e01a7c756a31805f6078c16fe0d47 |
| SHA256 | 75fcaf6f0973b46d71675be03ca6057d1c387ad471c0fbbda75cfb1312163d9e |
| SHA512 | f5b5bbe5badb3beb734fa660030626df180f4ee3004bfebca7bc294adb928ba0b013c12f996cec420d5bddef1badffb385d28aab302f392dbcd8a7b844ee3877 |
C:\Users\Admin\AppData\Local\Temp\IcYO.exe
| MD5 | 59221d71dcd37a156f7ae841adbf967b |
| SHA1 | c6691d0340b79579c9560523014dc9d70d940a44 |
| SHA256 | 07f041a18cb337870470bfd9881826819a03c70a00d97599693382a7795eefe5 |
| SHA512 | 3bd1a0bd06241875e62a2661fadfc554f9ad05e6a9964563e433de6ce92ea8277fe9bb08d1db2f3f7a6fe7137a744ab4427b81b7a475ce5169b06dd9e2411afa |
C:\Users\Admin\AppData\Local\Temp\uoUG.exe
| MD5 | 17507416e0abcfa270bbc0545025b3b7 |
| SHA1 | 1008a36123a77d08f053d2e1b4f0027b0fdee86b |
| SHA256 | 61697eef0bae3a26424d98de4a50c7dd5fef5427264cfeb86a8c1447bbe3314e |
| SHA512 | fefc481305c8e05129c1014cba8c0e141c4beee46df70dddcfbd547c882302d147f785d3b28d184d4a4380d93ff202c771fa4cb19b6b45d5a5e8362cd4b7632f |
C:\Users\Admin\AppData\Local\Temp\MUQG.exe
| MD5 | 66b3084c7cd6e1a999fbd1cb98bb6a1e |
| SHA1 | 3bfc511b949fc05e6ad4d1c4b2d725f49422c023 |
| SHA256 | 010adc783da42410f695582321b817d15d2be52fc8f6bbd355b06dd156fc758e |
| SHA512 | ff8ec3235527d451116ebaef62f038e89b219a5ee35b1dadf2a301209ea20110b549c567ff7bde1ef74b7e16a6cd3a7cad3c781e22a6fd64f01bf1bbb040fd31 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
| MD5 | 5b031ce485c6ef69d755e5fb57b689dc |
| SHA1 | dbd0de43deb40d4a4e29529825315cc15d4506f7 |
| SHA256 | b4d7e69b4511ac709a5f995e342786ef3adc59ede053b9371302488f7639c586 |
| SHA512 | 6e1a63aaf1e01f30f747324d300f73c564bf706e62fb6750e8b3693c6f9851dc88db6b6c22ff678dfb57b6754fa01abc64aa92bd0b96bc7d39c1645915de391b |
C:\Users\Admin\AppData\Local\Temp\uAga.exe
| MD5 | 890c1e9295e4489687e5da06a1c00d50 |
| SHA1 | 78f22e551e4d34e36505bb66cf79dd89b2e7984b |
| SHA256 | 33638644706aaa27de870c71e6a9cb999648c38572fcac468a788f6051c84076 |
| SHA512 | de756c9957d0877a6169584755edbf6577f4e510acb53b305d7c4ed38b90079c85aaeb7da2ab8a70fe2f87ad2b3f618db9d3959d5ea3b8bc1d20a02fba9c68f8 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe
| MD5 | 28b5640a24b20bd955ff09d1b2f20c05 |
| SHA1 | 515f5ad53a80de20c2d72ff1ff3924c5958653ea |
| SHA256 | 63f213c62514fcd30a4b17239b8b9210153aff59c4151622b3816a0d810988da |
| SHA512 | 64c5734e79e6d35d0f07175ea1dacb08b13f7cecdd95f78497f41b1574fb4a2f9538ae6e436c0d3548da4cc8a62e7bf0c03e76b341fc802214ece444eda285f7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe
| MD5 | f63158ed5d62c81072019fce6a3dd624 |
| SHA1 | c47d19cc08dfe605ff24ddb4815081c41acf217e |
| SHA256 | ecd32024c1439f6006052e5338c14b281f12d062e115e7a1cccf80e92bb38e1f |
| SHA512 | 357e36ffa10103ab17e75195b13223fecdac5f33e2b60d3aff376f91504922a98cf97c71fdbfadb225b9b19fe1368653235cec086862b2ee62e5bf2dc2e992f1 |
C:\Users\Admin\AppData\Local\Temp\AUQW.exe
| MD5 | a9ec2817addeebf6075e89ec5e71de7d |
| SHA1 | f59a39d50b38616f41624da74c7fd3f507aa1700 |
| SHA256 | 427b92131eaf103bd388f0fb6191f3380b96258eddd4a0f5e3a6ef6bd3390507 |
| SHA512 | f03a142540d48926685324bfa8894ba9294ef4390c37937f4904603a287d7f71b4e9037b0a9d67a9e1e85dbe05483416b937f56c6da0bf1f419d68e4954cde21 |
C:\Users\Admin\AppData\Local\Temp\eYQW.exe
| MD5 | 91ec0a59d3a0c0fec6ecb382dcbb5888 |
| SHA1 | 31ebd97f52cc4c7b8d1643b65fa28ccb32470434 |
| SHA256 | 6bc135a555c52ee3ea32308d8d9cd2297c0f22f591ed7def4b45f4a46f9d76d5 |
| SHA512 | ca341df3d99041338f3abd033ecf7a532e07f74350debdad24d131da6f3a9bc0b91ff7208649354045b696362ed0b31c06873e1214f89ae4ed78268b6333c14b |
C:\Users\Admin\AppData\Local\Temp\mIwK.exe
| MD5 | 70301272395644bcb8bc6c7dfd19aa2b |
| SHA1 | 18d7e57b6b73065f49eb70c7c1d12ffee90163a9 |
| SHA256 | a54593fe5e79d4b88baf0aefa8a5b7057a11968467af6091dcd23b44205a5ad3 |
| SHA512 | 80855b89c02dbdd43ff998d171839d8ffa09680ac559a6e9acfaaf3c113159a52bf273b612448485857d967e8cc71cdfa6b5e3568a7cb7810e6fa84312ef452e |
C:\Users\Admin\AppData\Local\Temp\KYsS.exe
| MD5 | ff9a0640fce1a018484f738e5bd9376a |
| SHA1 | 970c0c4d861d5f77deb28179f76ac91ebbf39eae |
| SHA256 | bd9fc56892d6677f96c8f1043e822daa6005e716b38a2efb0d0eb53fc3d578d9 |
| SHA512 | bc4d130bf663f4d1be08b2a1f8eb4585688985a1adb4fc269c88de701eefc0e613458dc59b61888fa0f8997a75b48c9d24cfd4dd0e9823fb6d75be8c516a002f |
C:\Users\Admin\AppData\Local\Temp\kQsA.exe
| MD5 | 5d526437d2de91210c2b7b5d7a6e5814 |
| SHA1 | ebb87cfdda2c4dd0e10e11611ffd20f4e9220cec |
| SHA256 | 5f964e81e7b8273f07ea4e45ab8a75004f489ab70dd7cba7f172e885f4e02dfe |
| SHA512 | 7141a3ad99948a241c0dc893485638f79bf73e90622faa3167dbd28e63a05c987ef9fe8aa95275420601dcefbf3db44e6ef3b9658fa7a988d6b5e0e4d782affb |
C:\Users\Admin\AppData\Local\Temp\IMsA.exe
| MD5 | 82751a6e328f150411f3640d9dd9c1f2 |
| SHA1 | e64dc9c8edfc8a381b0aa30a043a753199c057c6 |
| SHA256 | 02afe897cd2add499a4b4ef5ed2965351c3500adb69b8e4d2f9d13ab281e21df |
| SHA512 | 73491ea48c163f5800b256ffcf1c8fedfbabe2ef3e1996d605a8e669d53cd82bdea1f8d161c9a6c98c8e479140a581fbc9c3db57f4a031257cb921264a9951c2 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
| MD5 | f1184a87ee04a70155fcd27008c21a38 |
| SHA1 | 63c7c406fa2dad68584b8743ec3e5eafe4c19e3d |
| SHA256 | 5512d173ccd06efd94f90376a3d017272e3724d0cc7ee0456c494440dfd7d56d |
| SHA512 | 3f538edc7e34a4ef2e95e8e3e39c4e52dcfffb09b2b5567c7dc159c8b1239390351882e55e16a22267f65154d58a2be4675ea6bc74084ab2fa51d74e4d852111 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
| MD5 | 3c6357b3da7dc24e933ff5ae39ff0934 |
| SHA1 | dd6a4f2709a8b029f8bde69de3865d1e9004f09a |
| SHA256 | 510edc4452dcb9a9d2c28d6d545733623b7cb82021f8d54ec3cfbde6456a66d4 |
| SHA512 | d8098adc3a8fc8bc9914ef71e95dc378818f253174a7cbe1edfb72e399706c582001f7ec26ef6e009e9fbccc1c5b7d3e66a8470661b9b51dc3d4e9c120d81236 |
C:\Users\Admin\AppData\Local\Temp\EUEa.exe
| MD5 | ee88e777f383194e7b5f6adc5eced1ff |
| SHA1 | 7df9370e46125e0afb8407ccbd4ddc4939df710b |
| SHA256 | 778021f2a24dbfda56505fcecfaa816a11ed8f9380f75a991a1b814b4c26e9a8 |
| SHA512 | 9d985c4b18ffc784da63628cb75bb33c36232dab91b0341de1bdf84a3ff33bc40bf48703388861fa067e392c8bf42ed075c922aa67d3a394161f8389711bb460 |
C:\Users\Admin\AppData\Local\Temp\AsYI.exe
| MD5 | 060ce866b110b90f897851cc3cabd49a |
| SHA1 | af53444fd2ec63d57f0657ebe91c7e6ba4864aad |
| SHA256 | 8edb64531465a8c8cf18497d11954e43b43c206dde081cf9387842772cb75ba1 |
| SHA512 | 2742194de4d9bb2963863cee97531c1fddcf9758b221e8b49fe6e27ac4f7fb5fb2ab16786f4f2a6755e7e678e8a6e9c0b0f15487d4c1b2eaff4127f958e47678 |
C:\Users\Admin\AppData\Local\Temp\uowO.exe
| MD5 | db589d0cca72d464eb384fdb07a0f295 |
| SHA1 | 6aa0c7fd25d8619b99d198fb6d5ab70cd1d9d059 |
| SHA256 | cff8daccd2163fa6fb9492812cf265bead0422194fc8f4833752a5f6071397b2 |
| SHA512 | 5e2ee69ec0638000c9ebaa00e71d338a993b3698c7afc580ba57322fea80fd0dc2f50944755a4eeb5aa971e1be931ff8a975d73fd851b2e078e851fe5378af8a |
C:\Users\Admin\AppData\Local\Temp\skgE.exe
| MD5 | dc373557f20ea655d8fa0de35c946c37 |
| SHA1 | 8f4f91e7ce171b31e8f54183d442ee10bb8fb04e |
| SHA256 | 3b74b9008ccfe0279a8aa342f24c0498041cba4632aed103972deb1782614632 |
| SHA512 | 9861758b0e787856501fd65705010db520c1c6765462ccb4e3b25ee14e14ba8f58351a87532c25cfa652672c927c8d3083e36883a3357a6228e4c41b2c34b4a7 |
C:\Users\Admin\AppData\Local\Temp\EwMY.exe
| MD5 | 668b2b701c08c960dc1f00ed7f9428af |
| SHA1 | 849f7ad895f9990e31fe62a0c267703a83eb9642 |
| SHA256 | 7a40880d0d6efbaec92cb9e06270bf6f774dcfb3daf1a5a15fcf03a692a2ae18 |
| SHA512 | 42262341a72a18e520ee6541a712c2f37b5875590daecbc1378576353b2f1ff6a998062eba60135b1d26f1aa36c00fe830f846446e464012541ec8fc7f9c54d8 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe
| MD5 | 026a9a04b153c7e365c28b44ffbb727e |
| SHA1 | 1ea9a0df70dbe50bac095507799c87fb188a0ac8 |
| SHA256 | e6db5f6a24a20100a2b71540895744c4a0d034f5be78bb1f1a8c78d1d56f6564 |
| SHA512 | 84b18dff9aceacb04ff72aa0fbe61c68fceaba609d45a37aa00925aed00106ce28c712ddebbd1c39dcd5eccf0ac265f69f3fd989bd6c875a5aea1cebd6b1d34b |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe
| MD5 | a8b435b6e3d6c7db68b440f9721b88f1 |
| SHA1 | 0885a16243c9da9eb1ac826eef69d696f813d689 |
| SHA256 | 97217e694be59fb779cf6c002795ce7ec74167ac44adef33518ca07d45b20df3 |
| SHA512 | 998cbe56dac28fe3cee2d2e779fb10b46c5fec757c867e0ffd398fb010191d13575f9481be3a966d46781c914ee617c984a1d878e9f3cd5722b82fd4e0e22350 |
C:\Users\Admin\AppData\Local\Temp\CwIE.exe
| MD5 | 27f6bc74aab566d7c2cb2132d62ea1be |
| SHA1 | d5b3381078c581fa0ea7f03638c7c028ed016ff8 |
| SHA256 | a381737365ed60d15cb1c8be9cc8c578551c4b67117c837c96f51db96a6ea76c |
| SHA512 | 5920917ed288735c46aea9a01543f88463cbb336e5e5e3e4feb6da4bcd7aade0ab1c5850d94e6103fb4c01e95a2eec54ed37d969417eb322428cfea8669ccb2e |
C:\Users\Admin\AppData\Local\Temp\SwAe.exe
| MD5 | 75333e0222a63d025b880588712a7996 |
| SHA1 | f3dc0877778dd7d1aba5d631c6c579fcfd5469cf |
| SHA256 | f43518608dc657bd658a82abeddf31797504cbe8209e65cfa6baa8fce0db2a81 |
| SHA512 | 29e42396f6e45318b80a940acedbd338813fa02498222977738c621ced7f5c79645e085e78f43f62e680f781ceb3b479d957163308f366d7dc48384852313dd6 |
C:\Users\Admin\AppData\Local\Temp\GEQw.exe
| MD5 | 7b8367d71235b46478ceb1049bdc15bb |
| SHA1 | ad99816bae295171af72a6926e238293b5bf4cc7 |
| SHA256 | ddacca7c8fd00e327ae41e48a65cf4abf07dfb316ade00dbd71cf54208c3fbfd |
| SHA512 | 92dfe41280fac942229648423a22c91bc1e0086fbe79dfa3fb5c640148c675687045572f3003f8c15348ed375f7a5641378787cf4be328d338b33500cb94b5bc |
C:\Windows\SysWOW64\shell32.dll.exe
| MD5 | 802c283b2782fa9ef940b8f2431e659e |
| SHA1 | 440c4d9b34f58ea8b4fceac43de47cfff070eb50 |
| SHA256 | 29163912014d5ea41dbecc19971c2b3d8cfe34ef67c289d8a954aea51859cab3 |
| SHA512 | a27c32086444485f0667b1d5a41e7634b13a30631cb95b3044a0fbfab19a3ed4ddeb9d8d28d673818c34557eb5d8c2e37919c08263d333992cf8721cd2b5e765 |
C:\Windows\SysWOW64\shell32.dll.exe
| MD5 | eb960e1c34c190832a725a4342ca6471 |
| SHA1 | 5d49603da173bcb6daaca8fd81520b5bfaf59473 |
| SHA256 | 9d9b0c37c5a05cef99f947f811a4fc004099f3d7a8cd8be6adc0c0b801be75a3 |
| SHA512 | b920d9ffd4d6d6778605d77f34f1d92296e50cc9d404ee46326d41dc9123c0719a448a4c8ee6f5638528793781885ea3ece8d385d84e36d4fcfe5826685bc869 |
C:\Users\Admin\AppData\Local\Temp\UkwI.ico
| MD5 | d07076334c046eb9c4fdf5ec067b2f99 |
| SHA1 | 5d411403fed6aec47f892c4eaa1bafcde56c4ea9 |
| SHA256 | a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86 |
| SHA512 | 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd |
C:\Users\Admin\AppData\Local\Temp\MkMK.exe
| MD5 | 4bcac7e2cb5657a3d2400b23c49607e4 |
| SHA1 | faa8557fd201e89ddb676da08bfaf347f36f098b |
| SHA256 | 1db7c1414ee8bb44f6a17e9b0f1629cba812a5448cb2108a0f1393a1b31baf4a |
| SHA512 | 45ec63b4b1b29fcf05c742c3ebc4c2bc1c8e49e0a78cb38edcde93a4d2f8c0bd52435bd863d660c9a95bf74205b7c40c4657a1681618a8ad33d4ce31cc5caf84 |
C:\Users\Admin\AppData\Local\Temp\qocc.exe
| MD5 | b366f9d2989fbfed138fd72f4a1972ff |
| SHA1 | b4a4dbf53968803bd7fdcbedbd627765d5670262 |
| SHA256 | 08bf3ed78db202aac2763ea2019db41b0eb716284748c04ba9f8549f97e8cdd1 |
| SHA512 | 65018d603c3579b2520df9ebcf159581b45c240ca25d298526a45468a88d042dcd4e999d0e59c8dda0e46cdbd3d8a5fe33b84f15d093d0e826cb2a2b0e03decf |
C:\Users\Admin\AppData\Local\Temp\Ycwy.exe
| MD5 | 8494e2826023132f2783518e22ab0e6a |
| SHA1 | 64cea02925bf85965be921b299367a2f6114992f |
| SHA256 | 39dc66ecfc17818dba9ce5abce1f3bed9efe0cecf4c23776e506a4b77e93bcf4 |
| SHA512 | 1c0ab544e8309658f9c3941aee4b40c3baddeaae81f026215d5abd3c7ad8a22f3af7088978693b8d3f6ea3e863c1646e530c84556887f82b04bc068560b30374 |
C:\Users\Admin\AppData\Local\Temp\uAAS.exe
| MD5 | 4def0ca4fc3e66d5867223abe4146157 |
| SHA1 | 88bb503424c1cfcf5ce72d240dae4b3b5125a583 |
| SHA256 | c4fb1b93a99b963f7d5df084df5f7f32bb0b2fcc00213c26c29205b73115a348 |
| SHA512 | 47553c57c8ff3837b0d1e61a228e8856463c8d58b40d53208f81d407dfb1ce7163ae4748d4ff3e469e50592d9cf54830cddd99b80a911a6f7583d8614ca2ffbb |
C:\Users\Admin\AppData\Local\Temp\oIAI.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\Downloads\GrantUninstall.mp3.exe
| MD5 | bb9a976ed5b1c52055e681ce70f275d5 |
| SHA1 | 071618c826cd9fd52a4b5b26b4a0d84aef9dbe25 |
| SHA256 | 4c2150c734e923131f1e6bd000c9c4cc9529fba467d40969529fe4513a73029e |
| SHA512 | cf26316e0e4b373390dc5225b3d9e0b08457b3a49a149049701c8bf4409325be43762a6e128985240c304d1a227a535ba723d2d4b280581ab955e57d9b6a5a17 |
C:\Users\Admin\AppData\Local\Temp\iYoc.exe
| MD5 | 004890b00a3c57bfd79656bb1d68b44f |
| SHA1 | cebbb611c53c35928f2df56365a8ce0535a391d0 |
| SHA256 | d4dd56a63cade6a881015ccef7233d200296b06e459377b8f9c2df8d36ab4a02 |
| SHA512 | 5d8523bd67177553c7ce3bb7cfe725c33dc6e6a7a04e5ffbae5da646796f597f0b85239a4fb45100200b6017c461a2e3a158260767bad7d8762f3c3bb089c0af |
C:\Users\Admin\AppData\Local\Temp\qQkq.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\Music\DisconnectSwitch.gif.exe
| MD5 | 8e7d7b113e2a5d5886f09c6ef22bc906 |
| SHA1 | 36b05ee329405aa4d9825f86fd345bf2c0b98702 |
| SHA256 | 594647cbed5ae405fcc56456c6cbe40df4c7147ca524a4b002d6c55f8c6e5447 |
| SHA512 | 03501e564f30300c669def101ab998dce09dc529be42a1f93a0e43cd9aba125c0b6bb46c3dfdd829e36f1d944d59e9bc701f4bfd856251daf3d5ebe6b87dfdb1 |
C:\Users\Admin\AppData\Local\Temp\QAUa.exe
| MD5 | b3b14250ed6e21da573768bc9313dfb0 |
| SHA1 | eeadbb38eaeae5a2bf65499ede213733f691b57b |
| SHA256 | 25228751488b35a70f5b56c3fbe598c7b6cfe2e8d07268be09add4db0080858d |
| SHA512 | f8780a66c339e8d877f27673bcf056b969028c370611531d66c58a1f4c0f86895c5d00f4df9da400af67ed0b08c156c9a8f8ab4ddd819e8d0536cfcdc79399f9 |
C:\Users\Admin\Music\StopDisable.wma.exe
| MD5 | 281e2fbbb997726c612a25d31507c7b9 |
| SHA1 | 69469ba30e38206e8d26fc7f412368a92171a5e4 |
| SHA256 | 966beb8dc501008389a1f436e55b42ca0c2915d736215bb9d26f3f074e171aaf |
| SHA512 | 927f8eabb24098bb65951d88232ef987832fc07c646f0cd8706ec6dc41d97baf3bad7c59599d0c73d8c391191e030a320a193ed627bb8d60d7616361b33ed7d2 |
C:\Users\Admin\AppData\Local\Temp\OUkG.exe
| MD5 | ef011f2d76cd987255beb18bcf7e7b74 |
| SHA1 | 6f6aed484a3c6202d8467dd8964a82300e6d85d1 |
| SHA256 | 4549d47ded2a39f29b6f96e4f0bc9ddc51eb671d5e6c4dad2d77e65c6ae454c0 |
| SHA512 | 6517edd672a8410edd4758ddaff1f3b032a8acf26d95efc3ed39b422c62ef5b19ea13a38b1f43f3df2692beebfe587b064eaf990d3d2c528d5637b39a53bd28a |
C:\Users\Admin\AppData\Local\Temp\eEAA.exe
| MD5 | 6eef8310227c935194885e9b0ad4b610 |
| SHA1 | 1dbffe4693491f0d6963feb71766c19f7dac158c |
| SHA256 | 8d3ea9826a58a68cc2316c91a8621a25cea5221694348d165b152de6b6186486 |
| SHA512 | cc8ae4065f26fd46f250429893fc4fc7825975a4ec328ef199065616e866fe99aea288fa539d56cf65a6bb5495bdc23c020af59ce55f6b172540f3940c35363d |
C:\Users\Admin\AppData\Local\Temp\GYgS.exe
| MD5 | ac800096f254a3b828f149a7445e212b |
| SHA1 | 193e33408593f750343b3505f25c791ed1b7d2cd |
| SHA256 | 03e7948a5b66fd5bbbd9b2b811f845361359bcfb6f6ae62bcffaa64a55b17bbe |
| SHA512 | 2f9debeccdbe3511481b7d7324bfb83d168ddd423b9896f8a59a508d2ee3287832552bfdb300e9e05df4d11e0d5c78c281abcbf8c4b105e33f3af34381a2b306 |
C:\Users\Admin\AppData\Local\Temp\mAce.exe
| MD5 | 6b22509e243ef8790570046652fe8d7c |
| SHA1 | aec4c71dcd86efb67b7b9231968e4fdd5c0fbd82 |
| SHA256 | f2c9ce446e7e065373fb8192d5904783e8af025d7f18419a42a3bc36f15d403d |
| SHA512 | fddfbfa80f5eae07488956ca04b10336a07a141318deeb0e45ed64c7bb6e00f45b95a00be754733c6921421b18439d19fb846f842e3a3c175278d5a822a99c34 |
C:\Users\Admin\AppData\Local\Temp\Ywgi.exe
| MD5 | 78c3ca20f5956667687f9a0d193d7297 |
| SHA1 | 71d8fb97efa6482379302fd5e785b989c8fb8303 |
| SHA256 | 398574569350d956a2bb80f1e57188805627ad4503087394676163c80ab8be6a |
| SHA512 | 89791c8c0b807299ff1b074f1717b2ef7c6873a5a5974e99165564a181c20ee03ed6e501aa74f68f6459978edcdbd8b445533b624b98e5f6505261c6f636e375 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
| MD5 | 59992a67074d25f1d37cb1ddfe3cd95c |
| SHA1 | 3d58c058561cbbfb8e4f706ac17b5825ceb08a85 |
| SHA256 | 114ed41f2a754b9a0c890f9b0dfc7db7fb5fa445f4a7bd7782f3b984a261e939 |
| SHA512 | bbe9c3ddeeee92b19f7bf51f691de53e4f5975d389cbb68a83b9ed29f8fe35a642866ad37252e3ebf4e27a37009a9834300fc51267ee17e274c716fdf109f6b4 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
| MD5 | 020ee36c7fdd8067aa806078047b4c4d |
| SHA1 | 19aaab0876906e53ba759684bcc6f95807185b17 |
| SHA256 | 59d6bf8d75d62384858fddb70451865d3c541f26152fdeaca9b5ff7bc109dc14 |
| SHA512 | 9b35941d48e45ac81fb9531fb2e6df2d630bd6e971e5d0839982c7eaaade5820ebf6c70464d37cc9ac41a457eb64f1ec277935cc43460b497ef62e0536a554a7 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | fc0a1acfff440c8814c4c800f3c048a8 |
| SHA1 | 5035f7b9a84703e6b872fc6d61f035ad738359dd |
| SHA256 | b095cc37ab999da0afb26f588d507d12ad253e9d9b5d92f79a0d2b7d6c54e8e2 |
| SHA512 | 19e0b7547274d5fd0f4afd65b80a8e6205cf1b22d12b09f8e94ea36b010e901aee08c752b8326e047e0f3c3198c22ec01caaef3e5fa4a66cb6e645684158f1a8 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | 80f926c2e78655f299eb680396e2bd59 |
| SHA1 | 81ae292967369b3ef9d1dc1ff007071cd1172918 |
| SHA256 | e863363d157a531fc3110bffefb9208827e33cb9ec3a3c1033b51966dcd6fa9b |
| SHA512 | 95627cb1d1fc1c71a640fa41b1a6338cac851e2117f9b4c8f798bee7b36b745ad3ced90b229cbff6354ce64ada40b204e7030a21af5610df3122f992a2c6cd47 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 145098d23bac2c746b17ccc11ea78b01 |
| SHA1 | 159a67247c7e0ee809a58949a2a73162aba7da0c |
| SHA256 | 7c2675b50cc14773beb56710c878a98676cda2237e13a430d7b34cbb7ae9e639 |
| SHA512 | 2dabd2ca29d5238710fcbd2300a829a12b7077b2239716c43c48acacfe505d44d40a58fe98689b10b6609e199cf716452c75903ab9a09e0fbb47f041f290cdab |
C:\Users\Admin\AppData\Local\Temp\iEgC.exe
| MD5 | 7a1e4c25616aa830b302fddf84bc31ab |
| SHA1 | bd6805d28244f7fec46c165b6ca10b0468c01350 |
| SHA256 | 8198a234b383b8ac8a82f5f51396e90abd7fb78f9bec2822942b6d0fbc35b393 |
| SHA512 | 013c91fa67634eb0468d64badd12c9e5faa08acb1e5831d89528fc0333df3861c8e6852c72b1865686c18b64601947fc941c6c78d6e7b595ce9cfd2d5901ea9a |
memory/3048-2099-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3524-2100-0x0000000000400000-0x000000000041D000-memory.dmp