Malware Analysis Report

2024-11-30 07:07

Sample ID 240601-hqnfvadc8w
Target 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock
SHA256 c411e8cd1d9dcd8969d344cda702742e9e74e5b8aad93289df1e3b5bde823116
Tags
evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c411e8cd1d9dcd8969d344cda702742e9e74e5b8aad93289df1e3b5bde823116

Threat Level: Known bad

The file 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (65) files with added filename extension

Renames multiple (81) files with added filename extension

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 06:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 06:56

Reported

2024-06-01 06:59

Platform

win7-20240220-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (65) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\fAMQkMkE\DSYIckcs.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\DSYIckcs.exe = "C:\\Users\\Admin\\fAMQkMkE\\DSYIckcs.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uckAUEgE.exe = "C:\\ProgramData\\pSAcEAgE\\uckAUEgE.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uckAUEgE.exe = "C:\\ProgramData\\pSAcEAgE\\uckAUEgE.exe" C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\DSYIckcs.exe = "C:\\Users\\Admin\\fAMQkMkE\\DSYIckcs.exe" C:\Users\Admin\fAMQkMkE\DSYIckcs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZoYsEUEI.exe = "C:\\Users\\Admin\\XuMkEgco\\ZoYsEUEI.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eQsoIMQY.exe = "C:\\ProgramData\\BCcYwkow\\eQsoIMQY.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A
N/A N/A C:\ProgramData\pSAcEAgE\uckAUEgE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Users\Admin\fAMQkMkE\DSYIckcs.exe
PID 2292 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Users\Admin\fAMQkMkE\DSYIckcs.exe
PID 2292 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Users\Admin\fAMQkMkE\DSYIckcs.exe
PID 2292 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Users\Admin\fAMQkMkE\DSYIckcs.exe
PID 2292 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\ProgramData\pSAcEAgE\uckAUEgE.exe
PID 2292 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\ProgramData\pSAcEAgE\uckAUEgE.exe
PID 2292 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\ProgramData\pSAcEAgE\uckAUEgE.exe
PID 2292 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\ProgramData\pSAcEAgE\uckAUEgE.exe
PID 2292 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 2680 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 2680 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 2680 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 2292 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2476 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2476 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2476 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2604 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 1640 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 1640 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 1640 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 2604 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2764 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2764 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2764 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe"

C:\Users\Admin\fAMQkMkE\DSYIckcs.exe

"C:\Users\Admin\fAMQkMkE\DSYIckcs.exe"

C:\ProgramData\pSAcEAgE\uckAUEgE.exe

"C:\ProgramData\pSAcEAgE\uckAUEgE.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYkEQEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYkoksEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogYEUcsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YYswAEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\diogMsso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XkYIoskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGIswEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwIcEowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgQoAMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgsEUoko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQgsQUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSsgcEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCIoAgMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQsoAowE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOIIkAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGoUkcQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RwkIsgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEwkQkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMcoUwcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqcYIMUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SIkwMkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\foMkkIMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NyUkkgok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYoEkoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\XuMkEgco\ZoYsEUEI.exe

"C:\Users\Admin\XuMkEgco\ZoYsEUEI.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 36

C:\ProgramData\BCcYwkow\eQsoIMQY.exe

"C:\ProgramData\BCcYwkow\eQsoIMQY.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 36

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWwIwcoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AOkwUkMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CMsgokYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkowIokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKUkcEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XKgUIMME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HaIMIUko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VAwAkwMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYkMswsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NykgYEwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ewAsEAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQocsEMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MAoQgMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sIQscQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jyAkwQwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BgAAEkoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TsUMEEsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BaQkAEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kCocEYYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOskcUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ckkEUEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMcIwksQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGUocMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwMIAMIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RCMcIoQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PoIAwoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiIQkkMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kYswogoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IGEEwwME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\egIokMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kaQcUgUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIYMEkQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FOUgUwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dwYoEoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TycMcQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CuMwoMUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAkIMAcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUAwUMkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmIgEkQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xickgwsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vogcEsAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PcIYkUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqgYokkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sIIsQsQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\segIUIAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUIosUcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQsAQsMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BKIgIUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYQMYsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkgMsssc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqYUwUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqcswEQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mCYwYYYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\saMEsYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KsQQAgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqUMMAso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HEoMwUkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQQggEIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RaUgQIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkocsMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cAEocEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "671555137-1174961574911483642403828479-15622331474975514871071530375-341426733"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGsksgsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UEYUQgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2074113098659151558230840823-19013173471236596897-49441688221467881-1298926121"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUkUkogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMEwQMco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-481701244496789278-20518058771583225662-1467986673250175891893305281801017413"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BOcAgskA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HQYEAAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1309609111117092213-417586789-9358866791948690944-591748440-1517886452451377295"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcAMsscc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UQEAAsQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWcEMAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aIsswcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7595309691846262447-138566102195682157-1025654002-19693363883650003121052443351"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIcQsUQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWMwUgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWIMsYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DcoAEkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSYMEssY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SWccMgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uyoAoMko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEMIsUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zWIwMMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYEcYUYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rcUkcYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGUcQsAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sCYsUAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mkQAoUMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eYMQsgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqcEEMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCEkgwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkUQcYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYIMoooo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEokYIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QoEoQcEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WYQkgwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KwQQYsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VKYoAoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWAkwIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgMMUgsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vUIMccsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xIkUYogw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KyMskUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\keYckwAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ceEcYUAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\swwcEgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LQEUYYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCIYAgkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VIAccMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2292-0-0x0000000000400000-0x0000000000476000-memory.dmp

\Users\Admin\fAMQkMkE\DSYIckcs.exe

MD5 067ba94b0ef04e9810205d6392d867ae
SHA1 8354d87680718728912322ced8002c3c178675ff
SHA256 08f26910cd41647894190191aba5d898be2299f7193e6f4dc46fe3895fb962ba
SHA512 dd11c06e1f8b4206a296cfce7abb5a046667ab5c91ec89baa2287e3270a64d40373d2ff8488ab776362b4ef3a05a66dcc906e34984e597dccd894e6d5ab550c2

\ProgramData\pSAcEAgE\uckAUEgE.exe

MD5 05cf74bbb35766779b77e4efb8974019
SHA1 bcaaac94736f3e04794b025a47507bc2d49f357b
SHA256 a418913f28b1592aa5539c7183828881b86fd4c0eb64680235d52077d47805c0
SHA512 d7a8cc9ec1f0653be1df0588473d7e5d764c3ca2cbc95bf26ec87ab82100fb5fc3f0670adada8e02bab0acc13ea455f03fc29a1fb3334754d1fde585daccd0c1

memory/2860-32-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2292-31-0x00000000004E0000-0x0000000000514000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VmwEEUIo.bat

MD5 138afbe71b01e92878f511f4bf073803
SHA1 628ff51976098b0f21154ee0d462ced146ba7cf5
SHA256 9296f0badfb4556b5b084c04a3d29bc112b0c7081bbe6f7e2527fe75de7415c2
SHA512 29eaf685f3d68d4b15b912b29dee4f464ab5bdb58a6bf4bd82b24e66d0cf2a0aee6ea0fe82e47e48322cfa2fdd8b90f1f0d8c33b269e15068be39cd1cf42baac

memory/2292-17-0x00000000004E0000-0x0000000000514000-memory.dmp

memory/1632-16-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2292-10-0x00000000004E0000-0x0000000000514000-memory.dmp

memory/2292-9-0x00000000004E0000-0x0000000000514000-memory.dmp

memory/2680-34-0x00000000002B0000-0x0000000000326000-memory.dmp

memory/2604-36-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2680-35-0x00000000002B0000-0x0000000000326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QYkEQEsA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2292-46-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

MD5 ea4ee2af66c4c57b8a275867e9dc07cd
SHA1 d904976736e6db3c69c304e96172234078242331
SHA256 fa883829ebb8cd2a602f9b21c1f85de24cf47949d520bceb1828b4cd1cb6906c
SHA512 4114105f63e72b54e506d06168b102a9130263576200fb21532140c0e9936149259879ac30a8b78f15ae7cb0b59b043db5154091312da731ac16e67e6314c412

C:\Users\Admin\AppData\Local\Temp\gWIgUsAY.bat

MD5 2b14fb688445477486bcd9e254bf37d2
SHA1 1cf67aefcc0532de6afe62118bcedf6b3fa0d8d3
SHA256 942fc7e5a0882c1da81e2c6bd6aebd47dded134585714cf998a35c0afb0033cc
SHA512 3b293f4b6af77b19cc886e3f1e976ac449f58e9efa1cbfefa76062a2adb046bb87d9c70f6d829871e2c5b709db5ff2eeab62f9ece31eaa0cb883a67aa753a074

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1640-59-0x00000000002E0000-0x0000000000356000-memory.dmp

memory/2992-60-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2604-69-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ESswMcAE.bat

MD5 e60858b52c21a3464b7155640208b50f
SHA1 699275c90b6e13a115d91580a58d8f0a8984230a
SHA256 47904189cf42b938d4b041aa08be81f117b109c9aec3b749e5243b0eaafac33e
SHA512 fe9f01b01f8f285f09eab34e9c314c8bf824aac99e4fc7dbab08588273efe9f0b1abeac0a60be2de32754bc2885d35b27ffe9be5d552ca047a31026a69b44d43

memory/2752-82-0x0000000000260000-0x00000000002D6000-memory.dmp

memory/2936-83-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2992-92-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mwowkQkQ.bat

MD5 bde4693ca0e8c4dcfab6cdae666b1647
SHA1 6d95688bf0f17028a224249f00ff1f7d7e5357c7
SHA256 d7ab10940f74e127c4987118765ad2a36947cd168b5fb4df5b5cfc0776aff2cf
SHA512 1e99298b50f8d9c0d15ee9e046a9183ac0b12d0e322aad0f4348c2598eeec0f57a3ba6339c7c4ad60c3ee4b1aea02bf9aec7f1e048105a52be5045f46633a78c

memory/2908-105-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1944-106-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2936-115-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TSMgEoME.bat

MD5 93d9a35539ce9c5e558311a9484b3b65
SHA1 5f4ae29b2aa0c2600aad2ce90b3e45632bbb830a
SHA256 435eed02976679fd943d1c0b3162e38936d1a8d347bbd47f22dce6853e7814c9
SHA512 81d6af709aa12436c8aece8d013888d558777ea2ae55877d28a81b88b9246fa9cda39c93193944cf1c2a21d466680a54bfe157142f97934626b6bcc7dd3caa3d

memory/2036-129-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2428-128-0x0000000002280000-0x00000000022F6000-memory.dmp

memory/1944-139-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vWcYwgQU.bat

MD5 8263141ea97ffe1ca5bc3289e848919e
SHA1 0eccff21cdb7a5120c66a51ea232f28b75da9d77
SHA256 d08ca36cc54cbd9a03b90fc7253c92be4211bb6f99fb11a239afcdec18d7a875
SHA512 eb6a5270ab7163f518e0d93d987aefe8e65a4f8805781ff52f1b27b599eff89838cb7bcef75a7d143616b054490ca74b801cd60fb1a667ba2e93f369989b2991

memory/1672-153-0x00000000022A0000-0x0000000002316000-memory.dmp

memory/2364-155-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1672-154-0x00000000022A0000-0x0000000002316000-memory.dmp

memory/2036-164-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xwEgMoos.bat

MD5 2fc6438d9bc3711aebc49b768493ad36
SHA1 215787d5713905afeb9b9933d528b0d212b53e12
SHA256 9852c18eed5875d8bb3482f7e2f9e449ed8eca8210d9f9a046d4bd1a53308c50
SHA512 f955e649ad2b1889357ae5e2b00e284df68d2e2ad1e8ec330a6ceac982e1309a32fcd861453e6c36613837a49bdad273f73bd9ed12aed23e18ff629dd01995c5

memory/2724-178-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2500-177-0x0000000000250000-0x00000000002C6000-memory.dmp

memory/2364-187-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LEcsQEsY.bat

MD5 366f814b80493fa5dfe39bcba56d4fa5
SHA1 6abc8007dd95c373a0b05614e985837ec055ad81
SHA256 790dd30d899f78a3dfe4d3a1e684936ac78f4903297789532f82ef6f05aa332d
SHA512 adc671b1b2e22722f835b149846e4d49348329217711be19eb2837595d5b90f5abd349db9f2c214c61a37814d3b8b0836852ac374063f7b575fcd8b204086ce2

memory/2768-201-0x0000000000400000-0x0000000000476000-memory.dmp

memory/348-200-0x00000000003A0000-0x0000000000416000-memory.dmp

memory/2724-210-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DOMEUkwg.bat

MD5 2ba4f96c84d1ceb34d6760f0d38cc48a
SHA1 db6bae2ee71f9b93274d5f21dc9d255c4a87a758
SHA256 f3697e8ae63bba99908cd2d750a4d583352cce1169238c8d82ff1125dc93d3a2
SHA512 270fc2b93743e4264483e3ce9124d0049fd84cb2c57a36c9285576bc382b666cd2931229bc4c4e6582ee1804d889ec420813d98a9b3813affcfe2ac54997db88

memory/2856-224-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2636-223-0x0000000000440000-0x00000000004B6000-memory.dmp

memory/2768-233-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ikUIEgEc.bat

MD5 4376120bd82832f2909958de920e1958
SHA1 5ad6827871c69f2a1f53f1929f245b79467dc63a
SHA256 d22e2d60d0b280481d6bc15419d70263b9a1ecb4f2bd159da324d45728fd71d7
SHA512 d293461f416238277c742c0f013e7be61e1e321618ac45d9bcaa397ffbe1eb7e6822cd9e978aacd07beb393669abfaa9b115428607451ac265ea1590f8b84944

memory/404-246-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2856-256-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sOokwUAA.bat

MD5 82da3425253b13ea6518953fe6e6112b
SHA1 064526a879039690b0229ef3fa8d6631f0bfa5b5
SHA256 dc4d8ea8939e28b4dceef385dcaf4cc60eafcad74dcba8503e8a88124f0132ee
SHA512 912f973437c1a06400b608343467b4385be8332dad00f5b46f7a496c7737c5b44084bdb0ef5677ca2108aa777cffdb90b67632201140965bfadfc2afc773e7eb

memory/2272-270-0x0000000000340000-0x00000000003B6000-memory.dmp

memory/1600-272-0x0000000000400000-0x0000000000476000-memory.dmp

memory/404-280-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EYUMIEAg.bat

MD5 9ab9348c90c6c644871db51169ca8790
SHA1 53bbedf8efdfc09f19c4df5073a6a7af1bda1c23
SHA256 7eea2a7b7033b3675bb93d715ac744ce077a301c14a0a96f6fefabee90d010e5
SHA512 063cdfa05d60a342e77710aca5b9a3f1873aa6f14812a13a4d3da59ad260ceb66986ba0a7004ebcfc14b62993ea7cfab7b7036d502a93f0e2d1e723e2bbf9c65

memory/2432-293-0x0000000002380000-0x00000000023F6000-memory.dmp

memory/2568-294-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1600-303-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ayQkwAoQ.bat

MD5 4d4f08c82a7485301e14d422cc087520
SHA1 6edbe4d1f8cfc692d327c1d106d8cc3ada62757c
SHA256 115bf76e2f332562ede1e5c7dc6f81e062b09e599cf49f0fa783cfa7bf5a2889
SHA512 75811f294a7930fdc45b505dfd40be41aa1a9a005dcebb0d5b3e9cbe4ea07c011932d908022b96f26a371eaa4d38ae16b47b0cda7655e3e2d02f64119e45ef87

memory/1004-316-0x0000000000230000-0x00000000002A6000-memory.dmp

memory/1004-317-0x0000000000230000-0x00000000002A6000-memory.dmp

memory/2628-319-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2568-327-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LMQsgoIo.bat

MD5 c24985e229abfca2976c74154d7c8085
SHA1 06b6fbed41810f479b2c2a60058dda119d64ddbe
SHA256 7ef6b37482e9a785de8b0335d2836595155d4f43957480a44794c355776dfcfb
SHA512 8aa2b7e0be366214331d434b61f2c231061ad21da16eb09a54e6172478f57735675a7f9c4fe6afd41f902caf2dd715fc4e0ea7a11c6be40b330a117bbd9de3a7

memory/1796-340-0x0000000000350000-0x00000000003C6000-memory.dmp

memory/2564-342-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1796-341-0x0000000000350000-0x00000000003C6000-memory.dmp

memory/2628-351-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vggYsoog.bat

MD5 8331d2e275b8b7cbbf39c2d6c4f5c65f
SHA1 27c936f10ab5ae4b872665a10d74cfdb4ae68cbb
SHA256 caf94d1bb3889e2d6a0262c2292188962d5fec64647ec4820e810e115c722750
SHA512 e91049f7dda3a43ecadc9cd16baa85b4b6c127879b64adbbbd810c743b1ad08a48f2a0d9fda7935aba0dfae02e9836aeff83a647b8697a54536467b54c55e81d

memory/2564-376-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1748-368-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2444-367-0x00000000022A0000-0x0000000002316000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hegwsYAk.bat

MD5 646e4a8b55a384eda50cb6001a209c6b
SHA1 2f3dc9b22fc753a99f6f75321078f05ee0a0d249
SHA256 168bfe3878072bf2919f1f966e19868a4a9356a0df472e59dd3bdf9215156c4b
SHA512 904a268fcb32ce6631569aec361d93f5a138c1a0d26e83779efffff4ede12e73126befd43c3958aecb6aef7cd72ce2877fa69e09ad20bba7f2df67b22679bb66

memory/600-389-0x0000000000270000-0x00000000002E6000-memory.dmp

memory/2756-390-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1748-399-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dGUsAkIE.bat

MD5 7d2ddbfb87d6a47f1284024c0d4a713b
SHA1 4cb679fddec2956b16f56a40d308b369da12ddf5
SHA256 404bcaf91cbd126a06868f9adf7906242b16a5b1c7d518a3e8582dabea56330d
SHA512 5c7471822026e4e632bea77461de668478508380c930457c4ec74c9b8aabde3ec0d88c4f5524d348e79fde372413ea9c1a3763d5f7a61f7733e1fe8ee7d013db

memory/2756-422-0x0000000000400000-0x0000000000476000-memory.dmp

memory/748-414-0x0000000000400000-0x0000000000476000-memory.dmp

memory/968-413-0x0000000002360000-0x00000000023D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WyIUMUYg.bat

MD5 9af7b75ce64de87696aaf935db448011
SHA1 c285b95ed6defccf49012e3598cc0554aab4b8ee
SHA256 a73eb4896dae0022093951c31d4e5a61b16f4d79e25357b520d3b6029e340e47
SHA512 757b56b464edf909e036952e40dbbe1970616bfb6751032d72966d69a631480fa67ac256e91cc48df15ca6f17575e468c72ddea9119016a1ee61eb5bc441a875

memory/1040-437-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1144-436-0x0000000000280000-0x00000000002F6000-memory.dmp

memory/748-447-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QMgwYkAQ.bat

MD5 4e2142dcd5cc0cb0e11bb34a6c8a8d4e
SHA1 3e1b4abc33ca311ab90cbdf402d13c3487e833de
SHA256 75e1f6db33306b4aa757a32f152d55877938ec6db9fa5a4a1ae1cda9216c1cc3
SHA512 6c6a359ab7f8e885096b4476c6e6a2e494e5e5f498de35df6adaefeb25220f51f77ff5abc2d12e7180dc3581daea7549e8f7a766cfae77f557b9b03d13210398

memory/2536-460-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1040-470-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2884-462-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EYIgkEQg.bat

MD5 5dcb9cf3d4c038518cb37a0b02f23a6a
SHA1 79bfc83c659c8ab318cd9ba2fbcbc68b5cf77533
SHA256 c31cbaa54df784aad0e2fd7cde308b4aedd6373be8635a082580ad632fe7a126
SHA512 643e6891b174c857358163845b0658391ca7bcefee84b55d3896e7d22f814b3579cdeae6f920fe7f7ccb10c592160ee2cd70a4d983274b5e97a21acef58e7a10

memory/1448-484-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2060-483-0x0000000000290000-0x0000000000306000-memory.dmp

memory/2884-493-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mUIAUEoM.bat

MD5 26a63de0d768b89002a7c9be15953540
SHA1 bd237ffba86eb8c8efe847eae980b193bf8db5ab
SHA256 cdeaeeef5e08bc86bb517834cf0ecaa88d4496dee8a6e3c82c9606cd0b18ab80
SHA512 cd074623732d7e81f3aab4783cb3c1204bbcbc1bdfbb3f3c6cad436fff82247f6fb5c8730930ff87fc57b0cfdb6889787e5193ceb64e65b6fed2f54c0edabb7f

memory/268-504-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1448-513-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dWUMQUsc.bat

MD5 8373844732530c2533b88ca8c4892cda
SHA1 2955ae79f545aa709af56e73ba63f108b08baed6
SHA256 2336bf6a2068ab8db831b91f9b864c70d140b08075d47d54062a4ecb0d685e3f
SHA512 1b84a57c1f005e5683d6489790959e7022f72b88d1536e6d1baab9dc42e4cf88fcb27bd29403ba347f6afd33ad341505f79d51384353ec3c0aa1e5c50fc214d7

memory/2300-523-0x0000000000260000-0x00000000002D6000-memory.dmp

memory/328-526-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2300-524-0x0000000000260000-0x00000000002D6000-memory.dmp

memory/268-535-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dYgwoEkk.bat

MD5 781469eae77456d40090dc5b3a21ed18
SHA1 7ff8c4f0c9e03e83a451c0ffabf601e2b8da096f
SHA256 c47602bb89de6fed5faa47fe82534fe68850a19507427923b2296e4153c9972c
SHA512 fff369e5725485ca46cbf6796c65171a7208844709086a4105c23e8f69359cd299c2f298d43721ae488ec472ceaa741c463aabf606a23b359d5dedebfb0ea34b

memory/272-547-0x0000000000400000-0x0000000000476000-memory.dmp

memory/600-546-0x00000000001D0000-0x0000000000246000-memory.dmp

memory/328-556-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dmIkEwcc.bat

MD5 ff1748029b5d21f121b1d82ee73c3ecb
SHA1 0f57c6b23f1d2608a81bb00aa09f3448abab8050
SHA256 fac91ba5081f267d08540b796a019edcf1a782b198e287259c238724ff46485b
SHA512 966417ab07a58be0d8026a7242d5362d672c325f078949e6e46576c5e93f303a57bd522cd3dca842dcfe349021805b29308fb74e883ade4dd06b0dadcfce9cc0

memory/2356-567-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1296-566-0x0000000000120000-0x0000000000196000-memory.dmp

memory/272-576-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2428-580-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2356-579-0x00000000004A0000-0x00000000004D0000-memory.dmp

memory/2356-578-0x00000000004A0000-0x00000000004D0000-memory.dmp

memory/2356-581-0x00000000004A0000-0x00000000004CF000-memory.dmp

memory/2356-582-0x00000000004A0000-0x00000000004CF000-memory.dmp

memory/1888-583-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1040-584-0x00000000022A0000-0x0000000002316000-memory.dmp

memory/2124-585-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2356-587-0x0000000076CB0000-0x0000000076DAA000-memory.dmp

memory/2356-586-0x0000000076B90000-0x0000000076CAF000-memory.dmp

memory/2356-590-0x00000000004E0000-0x0000000000532000-memory.dmp

memory/2356-591-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2356-589-0x00000000004A0000-0x00000000004CF000-memory.dmp

memory/2356-588-0x00000000004A0000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KasAocAA.bat

MD5 18d62d6817e468aac7a9d7f4a949d6d1
SHA1 3a256002705017cc8866172ba29fd4c36240f072
SHA256 a948d2a5b17bc86116da777635cdc123e61950aeea456a5ccbfe7c9fface748d
SHA512 43e5ff3941ba289ab161da23cb64ab632c570939cacbe8146b7abf37f62d914fac1d866abc26bb33a65f0df65e3509068f4d1ec1b92d8ce5f2bf665f1f0f9b1a

memory/2792-603-0x0000000000490000-0x0000000000506000-memory.dmp

memory/2792-604-0x0000000000490000-0x0000000000506000-memory.dmp

memory/2536-605-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2124-614-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MegYQQUg.bat

MD5 7cb5b2c32a182bcf6cb41d31bcf42b67
SHA1 6b1c564eeca355562dd493625bdf3d18ba92e75d
SHA256 175fcd6ac1582e6dc39f0d9bc2889427113dda4ab839197bdcc89de28859dab9
SHA512 eeb0bff82a478cd0243767aa849b827bc679a94ff8c1ade0300153b35815032346aec8403099e994408fd56f08c2cafdb9347e5b6342b9570303a86cd27f2af7

memory/1800-624-0x00000000001B0000-0x0000000000226000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eyIYswIA.bat

MD5 3d7358275d2fbc4c969687480a899a8e
SHA1 a0fe9ad9255fbdd242aeb03b8c4d8b265c64eddb
SHA256 77d0301b5d89da62244af0c3ee21220e79a32e6cfebd8707ea4d3b9a3530945d
SHA512 bf7484b9f3285eca89e28084e07cd8e1c10b44e3a5181148c4ee5ec45d86af86838720c3b4074e093cebedba5f0b932418e657315acf7c87017026c1f3be1eed

C:\Users\Admin\AppData\Local\Temp\qSogokIM.bat

MD5 92dca9f764409ffde5f1141b9fbcda20
SHA1 bb5e493329b11bdb461d674aa73b8ecc10476a05
SHA256 f82cf34e7772837e3fef225d2e6300981f36f8135ee5af0cc803f58bde468b54
SHA512 761e8ca79b7f7b5a1600067ec5baa5ef0040a1d3ba2d8917fcf5966fef272b3dd6c076b7d85104e990df6cc06fb138d611729f87bdb663a88c6d3f563f47723a

C:\Users\Admin\AppData\Local\Temp\luYkQAsU.bat

MD5 330ae5027cc2c9720e3395e1ed9a273d
SHA1 6163b57ba7bc8b0ecee5e833af076a9195de4d40
SHA256 1e71217925aa3860ff181b5fb5f4a48fda77d6a1e75a9a7dfc6c2fec17a635d1
SHA512 c299a5b3e9d4af6840b33ad61c5fefa4687f3230f167946f576ba08a2cdf1d4de838f6129aaa67a59380b4153dcff4c8929e09ecc307723c16613bac4519894c

C:\Users\Admin\AppData\Local\Temp\ewkw.exe

MD5 1c55e865c99b908f2ea3a7293c01cebb
SHA1 226afc6728175e7dc20f47944c202bee52bfb012
SHA256 b7d92f9a972c162e1269e997ab817bdd686117ce17f4930a35165cdfcb13e938
SHA512 3127a078b38a3f0a96e64be5118b60ce6ef5290c0e125fec94e01277c98bdecbd95dde87a2e6410337e4afeea0679cafcc9c27c218dd1771068f9340f06b1476

C:\Users\Admin\AppData\Local\Temp\hAsoEgQQ.bat

MD5 1530d1ba15b00223b27b8f42edef2d69
SHA1 39b10928ef0ed5c49439b1bc0b447c306c5aaa9a
SHA256 713d8481bd918f517bcf0f867c40c11a23c49b766f4d75300246fa181db7c030
SHA512 b248fa85d55ee3247216d9643c48bbcb605e15b911d9c9994f61eea7333e788b4d5b65472ff79ca7c5b86ebbb00070e7bb60b655b8f49386dd854e5951060c74

C:\Users\Admin\AppData\Local\Temp\bQMMcMoQ.bat

MD5 6e9130d7853e865f4627ff175b4233e0
SHA1 a04ee4c86bee13cf742045464a239e0e5226a7f9
SHA256 940d3a50bd64c84dbced4419702cfbadc9817b3f96a31d4d35587b35887139b1
SHA512 bb831bfa5b4b53e5d1beb391c6bf8c83f063942852ef4ccc432cd19250bc11a7bf60513870ddb1a934230e4b17db292cb817c301449f97056ca9cff01f35a44e

C:\Users\Admin\AppData\Local\Temp\DYMYggYk.bat

MD5 1cbae0249ff301ac59adac34b45db0f1
SHA1 43c5a5895e70c8cab92edca3b7a5c52390e6724f
SHA256 e88a607b7668c4c759a69eff313e8fe259d7c926b1bfba6a655d458c3543cbff
SHA512 a1334954737356ccfeac9ade8bc00da175fa3eabbaf8f62d6a27c4a1bd164b4a0e7d37c29bfb3dafc6f7baaa38bb1214435ba4c8c1799e8053e806b40474ad97

C:\Users\Admin\AppData\Local\Temp\VowcIAwM.bat

MD5 4ee9187280fdd876d857534690392764
SHA1 bb5a9bc5d391ed9d17f4c6a7ae0a87b672b1db2f
SHA256 b912cb4b42661ccb25776c8f80083b13b4c78440efe1c79b8307c1ebb2aff47b
SHA512 5692c3f13c3a904ba87c1b0a7d6e121a8d57f5073381d58e6421eb54dc3c20ca98314f891217a138de2e52746d5015760807752485c74a8450059a1775a40977

C:\Users\Admin\AppData\Local\Temp\IeUIAYoo.bat

MD5 6f79378db1e5617335fb3cffe53b5ce4
SHA1 b0f70dc726d0d2c2875792ea44073398ba12ad95
SHA256 8e4aa5490d2aab98f2429becb7b2fa58e9aad30ffccff9d9afea123c9dfdf48a
SHA512 aea9348dbe673bbe7d1ca0f44b8537296cafa6bf6ae6708b763b44e7131a16515ba3fef3364721762599164b630a27aff45d70fa0fbabf2e3ac548eab530c779

C:\Users\Admin\AppData\Local\Temp\yicsoEwI.bat

MD5 4eb3b6d3da3833dd559d3e7442ea27c1
SHA1 085176f56f63426ad1643ab8c411559ad268d49d
SHA256 283b0b8bd348efdd56349a111cc717209c3e6daf023abeef18fb2d7d504083b4
SHA512 cd149b4d2905cfef98ca9827c49e20d0d10546961be0b545088401e93bd27ff130e30ae179ff8af0e6402d2d1618994a3c00e7899e189afcbf6280292e712aa5

C:\Users\Admin\AppData\Local\Temp\WAIMoMEU.bat

MD5 8a30662dc2e50f466a02bd7df7de4e5a
SHA1 b25d3a7b6be1bad3dc0c1b9fdab8d42e6d543444
SHA256 eeae06e5fcbd322d676fc1779ec82c733075ae29260ac1d3b60ec8a472f76e7f
SHA512 7aacffbd681cd05a0a27831e0cc61ca4503739416df620a984241b4ac245bd9562b4ee599154724644a5f6595f3905c0275a9e0079c1049f78095c55c49134a6

C:\Users\Admin\AppData\Local\Temp\mKoccYoc.bat

MD5 6f58e92034123ff2d4c8ff8556a16e3e
SHA1 e8d13d2ad4b22f6408cf9a009f08dd50dc229bab
SHA256 c31f15430b2e0b323af3b766be99909dfa8b503724796e27be46bccaa2ec3dfc
SHA512 706a46d6990f28aaad20119bb868587967a033f6c88792a71eddfad646fc514a42d7eedad26650dc68e1e7cc4bac3c26dcebd83a4ddc8e9c3562c8cb4aa138fb

C:\Users\Admin\AppData\Local\Temp\lqsYoIUI.bat

MD5 d483ad4c13f0ae63784742f2796dca71
SHA1 14aa72ee7a334dd88f2698b8bb1c7c567a7b678e
SHA256 9058ea56ca106c09e0d95329daeda69022b5da5665718acd8775f1dd7b0460bb
SHA512 cfa0aa6dbf22ef64f6de42f979403ddc023f7e46af5035e1ed29eb6e36b879826d06dd345edfb06bb800da9897a92af5c9d54eac7fa8193398f9df238c51fd42

C:\Users\Admin\AppData\Local\Temp\BsgsgsAs.bat

MD5 02738837c933e777055a57f6f049e91f
SHA1 edba3f16fd1396773f46d73f33a773c66b654a59
SHA256 e40870cd4aa0b271df771cbf93f5111425a6a0ea4ca14c96f518e81f7f41038c
SHA512 a573ecb7e4c40e9359aeb2d6a1db3ae46ca56d2c53d16f975f78e5cea5498acddde3125ce2ed7294f3ef57f926fe9053ea69dc7c63386dbf6ea0a48112abb581

C:\Users\Admin\AppData\Local\Temp\LIEkIIwo.bat

MD5 39a1fa1e0c27eee0c8a505a9e47c5784
SHA1 9232a1589395e43058f0d36c0a18c3a53a3b46ac
SHA256 bd2ee80285d02ab3ed2b72a848a0e3fec732e96ff781e0c0361caabdd9b4eb9d
SHA512 45c9f9bf7c834514e5a4ad9b8c7544e3ec45a41cea082d055e19d1eaacab3e5513cfda969b51f7103f3fbf68867d7d50708b7ebd0516c4a4eb1d734ea5e47ba5

C:\Users\Admin\AppData\Local\Temp\xGgYMokQ.bat

MD5 3122e93adfe928a5909bda615db040d5
SHA1 c5e6077ae30afc48fe032ff287a713f10519dac4
SHA256 67e9bbb91cd506f910524b6ef8b8b61d6adf25a3a5ab0641f01e2a57b27a6159
SHA512 9fcdbcbe387a6d1d3d6412805c110079a4cc0eb1135a86cc68656af580e0a71261aaa4966f8c868ce32c3de4c8b54d224e18aa0e0bbeffca55705f82d957d088

C:\Users\Admin\AppData\Local\Temp\gIsssIMQ.bat

MD5 5a9e4797de8aa07e5e8a12ff5007f4b7
SHA1 08664555029cde3973c46de19073eb293c699895
SHA256 6faa9fa2d3d1d92f449612a70a4ba23c74634f5802bf98883f842e20b7cc6ead
SHA512 f935d47ddddbd0e1e781d812cf1b30be0d7680c329256a9ebc4fd40f8f2b4c368d49408ad7e47b2896a7de62232955a8b2eb9a46613e2716d994e9e7f80bc929

memory/2356-964-0x0000000076B90000-0x0000000076CAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WSsoAMkM.bat

MD5 77dd42207d48829cb2dcfe961dc152ab
SHA1 bf0efbfcf2b14cb62e298c09e3556a7f5b35ec5b
SHA256 83edf64cd4da0ce078118ac81f96dc719a3077bfc7655a1107a5c1d6464904e7
SHA512 582b6c433f63a36cb9ac0baeff9d2e70d917345b86e2ca64f3bd4385fbbb7e9c66dcb661a1eb6a206b0c45e3aff3abea43fbf3b454926e1ea93089fc59efdefe

C:\Users\Admin\AppData\Local\Temp\seUMwAwM.bat

MD5 873373e8a04ab84d9c22575c0a716b4a
SHA1 b21afdd984b5f14f9857294e0285d5beae463bbe
SHA256 2ef4aed234dca90ef8769e755ca300a9ba5a331d592f983ca9619bdf29008f84
SHA512 28f4764ee00bca974b5b8f0451ae8fc88074f54b033446b7bfe3a26391006d0ab469896ef302f626da4871ae6d868121d399b4cbd9da5590d8bd8a60ee3421a4

C:\Users\Admin\AppData\Local\Temp\QqQUYUYU.bat

MD5 d7994b87bf610547325d6f0da61e24f1
SHA1 e83ece8f79e66a07cfebeac56b080b45fef3e053
SHA256 ab6de24c163a6ef9a6839a2aeba7d58fc68ebca34dbe6a8a52d6fb537537cc1f
SHA512 b7d4efa93f3f795a339e63d6266c7bd60a6c40b0b146513d9d5fc9e38fd52eaadd8cf35879bab2248fa3aed0aee2a40173cb3cb8e616cced225ecb560e64ac08

C:\Users\Admin\AppData\Local\Temp\tgQMckwI.bat

MD5 611bb8ac9d4b96088b3310aa84ba68fd
SHA1 6d44e67ec3f6126c1afaf156f2584f4cf64dcd78
SHA256 12d54d9ac05156d343d20f6fb062fdf6dce095ed82393399b98f28aba41dd993
SHA512 82fad8e68b8e8a1319ebef25025bd685365207f390a8b6eea8581154fc01d43ce5ba44c32770cb4da30bb9f8701ff8f137c28ae2fc9a2ecb0b550d8de643ab47

C:\Users\Admin\AppData\Local\Temp\tAYoAgAI.bat

MD5 146e6c306c408308c552e1224a6f7f2e
SHA1 aea93e9dfa77b0c4c66a242c309da9846c857a05
SHA256 69ed676bdc1323c4c418ebff3509dc8bb1d1ff76d6bc57b8b00a43312849f595
SHA512 4d618430f5e2b79f2553395808c81bc0cd2197f54ffd646f6e6b5b8778e79a45bac120dc2d9fab6390d08b8a4b7b67a3d8ef1d8c09fe42c976292292f0b27b75

C:\Users\Admin\AppData\Local\Temp\pwEsUcEA.bat

MD5 cc4108c89611d79ed10a8fefd8b44755
SHA1 7db094705956e5334ca508deaf4ff721d86f64e9
SHA256 3ffc3bbbfec102cb82ece5ca9bfa66bfb619273f8e5b67a93eadaf5ebf7bb9d7
SHA512 6fea1cf96271d6072f1558dc23281e6ac2de48f6a69ebe3a04a7d69ef4ce7d8b1ace5afc3673bb49281aa95013c2fc8d49de740796ef4e4c0e8522f443849c23

C:\Users\Admin\AppData\Local\Temp\fQYEsAIg.bat

MD5 f14713f7bf3344c0e1ec9e58e64733b0
SHA1 72ea4b05421ca588905de95a0ca5ea44baefa8de
SHA256 3249a571204f2c0be68b750e78657fa712a8bedb1d673416443137b3a281e9e8
SHA512 e052f0e6d74035d77c5d3a994e6f5ea71c4b212bd0369bdcf1327256e5a9f32f4c2e17b4fd8f338eb1b11e229b8b1ea45b4f42831724d2260970c077ff27d213

C:\Users\Admin\AppData\Local\Temp\LcwwUsIk.bat

MD5 3345f3b8d2fe391fd3586b24f3d85061
SHA1 da7d4b16c1c18a560abe558957a48bf07e594c35
SHA256 2304e346b37c9d6bbca3b3ef3375fe8a726d51a418bea4cdaa9a96e7870ed17f
SHA512 f319a6ee3fd4d510573d11017d2cc0841cb96d7480831f5c4be8a2d9346662edeff623117e761baf47dd2e7c92aa6bc2c380b5cf52df8f3b4ea0ffdb1c4ab149

C:\Users\Admin\AppData\Local\Temp\CeoYsksU.bat

MD5 8c452d2c7b53fbe5655f9976d8adf2aa
SHA1 028002657c81989154a420b2d2af7c3c743be184
SHA256 2525b5afd08c3948cbef91e55094b15737d4de53fac826d816380e589fdb8525
SHA512 e884a095e284aaec565ce674720fe333453dc6e1646752a275e996730297b6b28f05501b7d0f6ba740fed98c03c01dbf08f25a0e4539fa6183d84f1533920ec3

C:\Users\Admin\AppData\Local\Temp\GIQk.exe

MD5 0753608f49611101ac2282a1c61f49f5
SHA1 5c41e85d815c41a072e5b7a446235fe9e6a6483d
SHA256 280d06d01bba895381be75cc657a3c4a851620e2e43cf4c4ba6832570ed2af43
SHA512 23d34b487f4a8e2920afb2e287ec7177181f632a3b0014d2c46808cb2e38c5b6a4850088a52c9de1f7bc21230eab527fb6edc742bcba7f51978a2346e872fc68

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 968b14ea97e88ba4e2cd68a0bad71704
SHA1 b72b7c956f31300c3dbc5c853f8da0972a71b9c0
SHA256 6af0cc3e04a852dcc75349d54a348330a14b1f50a4f1b8cfa9045cdcc476238d
SHA512 ee8e91a1b960ef16ed907a16ae296f7e1dcf0fe19ef5f310eeb979b45539f1f5efc5dd181d40da943910f072f1c403fb9397a0a1f23eb0722c7bcc0199da56c6

C:\Users\Admin\AppData\Local\Temp\yOsIEooo.bat

MD5 cf34c9bf89c1dcd2b8538c4b087f9a49
SHA1 80dc43026c569c9939337aec5519b6cba9fa1dcb
SHA256 8798dacec17c8ce175145d628d240ac4a6178d2225cd20a5638a5f76bdaef2be
SHA512 9e7e241cbdb59b6d339f59c4994e169e9fa18efa7db8f27f59e8991b144ffe92a71987db72ea4838f7720d2d9ab2a69df30765a02feb67f6657b7ff2e97063fa

C:\Users\Admin\AppData\Local\Temp\UsII.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\iwcA.exe

MD5 148d339353cbd97fa5022dc0e1babb3b
SHA1 f638cecd0d296195c2ad2c6ccaa2edd552bc5809
SHA256 168e5fa70f25dfd6185466ae3c467c95a4028a03a00975532b44cea443bf16b0
SHA512 9ce6b670235c2408f5a893d601028cb075f3532872f4ebb689a4267b13b77acad583fa8dfeef323283ef5c80cd3937abb041e5287b784e82c925725fa2f32bc2

C:\Users\Admin\AppData\Local\Temp\WIIi.exe

MD5 b8968a08cba079362bd9f92b58ffce33
SHA1 64d2ffabb76a9ad13e6c9d6931068d8d40ea57e6
SHA256 7d1bb7178dcdee24831457c2736625f0f5318238f4380880cd3c1da1764a8426
SHA512 8c541f51185412b19029f117d5c1bd6b75d43687e2f2c61b4eef39e3dcb441f7132636c8c4ffd7f4a1952295341e8aff478e125e58484bf0393b573254f846b6

C:\Users\Admin\AppData\Local\Temp\ykEO.exe

MD5 b28963d4e7fdd47e7eb877d92a303c9d
SHA1 5af695763f98a591896d33bdfd2403c0c653ddc2
SHA256 8cb927e1b7fe1e2ed9c09b789d134fa1b62dce8a41d6b2fa71f6e4ae9bdb3115
SHA512 f6627c2c54c3c5a64b140c3509087672017c84d47754673dc5a84b39ca8b96c7061eb9f377e0f2fcef37d779106566c21556dd734b1e2749b0a8cb2efe381585

C:\Users\Admin\AppData\Local\Temp\CcIM.exe

MD5 d701a3dfed69042c28b20703a6a8f67f
SHA1 5e08540ce5b622f39e4153b9bcb5f947478e9b58
SHA256 bb8ac196f65d20caca4a4f9335b95a68465a4870670ba8522e923de29ed79166
SHA512 b5b01a9f98be1476dc6be2f9199f3b2d3b7126c010cf9388333366bc7f96f7d82abed7091bf91a1e2cc3e522916c833ae8960ca60afaddee56e4caa55bc86b1e

C:\Users\Admin\AppData\Local\Temp\wYIoEcAM.bat

MD5 20cb93fc8e794a381add372a7be82d09
SHA1 1e1d72cfb72bab81a69c3fe13f40ffad6833a75e
SHA256 82c665a11107f88a7d218081f52dececc2dd076aa278f8ee1eb6ec3f499580b4
SHA512 a56819bc8162d2be21314bd26e0c8009a8a88040907c2bcb2bf3e4deab255608164408aec78a548089657f44e8d23216756d5bb49e1fc2f1483644e5e8d2dc38

C:\Users\Admin\AppData\Local\Temp\GkMc.exe

MD5 a1baa2b9afab667555202e4946f130a4
SHA1 3bfcdf0219cd4eca1d114035c461d368cfc7e76b
SHA256 5e6998ef5b14d486e347a704ae16dfeda930e5378818364671249433d895d1ad
SHA512 f1659c1df96a220379b45b1619861fbd8b429c1822c42961bf79c398f26aec1efd310b248ab3897c7479401894d52ba78a0db61a74dc64558a4d9680de8720a5

C:\Users\Admin\AppData\Local\Temp\Ecww.exe

MD5 1067df48f42cc4d0e67fbfe3127807cc
SHA1 8831fec967c234acf2127e3500d73d65db02a672
SHA256 89ee49a704b3ef134f4c17b925e532625781e57f0feb85fc7c0949063294f625
SHA512 1b61707aa8ad10bdd79b0aa5085deae79cb95f18a3120ec0fbf09e1daf498e7a1b692a44fae420ae07a12ad922794bb9a7dbeda4c0137a2bc14dc45e6e5497bb

C:\Users\Admin\AppData\Local\Temp\kocE.exe

MD5 0c91d86bea67bc2dbef0fadda1cccf56
SHA1 081c9293f34f5b963d141a18464b33b24195b098
SHA256 c049194ac3e2ce9de45d74cbd59086cee219d99af58f5d179cece0841cade87f
SHA512 d1e24427fd14eb2fe2e70aed003b932d43dc495fce5b8bd683f9b4f0195699939c6f3e31cb10f600544f5ac1453a9a65e09a18005813dd744790b38e564c4fda

C:\Users\Admin\AppData\Local\Temp\OEIs.exe

MD5 88fef5e3c7bcf3ef4c10d13970e51c8c
SHA1 adbe16116fa4fb90940888d12aa24eb41a2c0fcc
SHA256 d0bfa92c012003fb1baddc88a86f09b1e6172812cb6560688d67597faaa1fc4d
SHA512 f8f575c801d69cac5a16d8fe83bc1cc9ea06d7002e915ff439f10ba361e71ae4f121a5ae431d1ed4ca8b825ecc4e9a736b4a04af9a43444e9c232e1fbabc5fce

C:\Users\Admin\AppData\Local\Temp\KEwQ.exe

MD5 90888bba1679345f626c178a366ecf7b
SHA1 227c6815f52da41951f9848e265a2bce8493ed2f
SHA256 1d885b0bb249726b8582e6bc68fb48167a4b427b6f91250660269690b53b8cd0
SHA512 591c0da199f086ad73d777f14658caf06e1737404b81644dc600b98cd6a1e6c4f2c2a246cdedb0657034818e7250f6570f50b81ffddcb8a030c884bacbe279ea

C:\Users\Admin\AppData\Local\Temp\YIEa.exe

MD5 c5f8deeca018bc2436afc09707cc39cf
SHA1 4b07d7187f930dfd5bf7fa13226d562e49a2f1aa
SHA256 a94dac6770f56716d2f28bbf9eb43c2cbbd2edf989d4fcf68897ccd577e2ac35
SHA512 19626ad363366270353a157fa7bb6ca30b7aa5ebdadbb0e21e087f539901493312064637fd0c420ac1277e0704c7ba0513b38dac892de5e6a066fbad9cf8393f

C:\Users\Admin\AppData\Local\Temp\Ekoc.exe

MD5 6bcab0ab531ce48ae58bcc79d7119e67
SHA1 6876c38e87b98a4138213fccf990cb5a7417acb6
SHA256 7739902667195b959b1ad98e87a930d9ec36a461c2cd02de9d5d4ff44ad9c3fd
SHA512 a69cf83476d3b1b5510ed9ca8c8a2a003d6f1db2b47ee5b7f9b85137d54551ad17052a410450b1bf2b0496d6b621b6275d466ca1f0e47bb30087ca7ff7ecd8be

C:\Users\Admin\AppData\Local\Temp\MgIm.exe

MD5 8ebb545fec1cdef356da218d418448d9
SHA1 2b20d75d6accff9a32de00178dc32d3b0d438425
SHA256 3ae97f1194f9e8ede7bd4a6407d5400faa307d0a357b2597c136a53a737f9c07
SHA512 b0afecb25d204bda158fdd43def49a069f40d4c84dbc5a6a88aaaab14f27885508e2067e40e365cb17c09639bf4150c905cae9111f767c2f0ce9a868cabe4e00

C:\Users\Admin\AppData\Local\Temp\GIUO.exe

MD5 cfbf77184c8c6265c6638cd4b117560b
SHA1 f5c0fdb76c09e14b20a946accf8aae8a7fab2cd5
SHA256 5400e43d1bf4e3cea41c1f3c637266a89d2f8257fd155171bbb04ade5cc40cdd
SHA512 14cba8988178c7d8293e77c3ffc671cbe6ddd9f1961d7b0e6d31efc75d16787efdde5fc216470d90502ffbafb398b91281621ed53875d38849d6942f984f72dc

C:\Users\Admin\AppData\Local\Temp\UkMYAkUw.bat

MD5 96b36aaf63ee6ae7052a1c27d1be6f2e
SHA1 8e4959692a157963b82749dfaa44809c5f7be9dd
SHA256 f04c904e2a572ce02b45bb8e0dca70c1a7b08d47ea96159aa71d3b0ddfa559de
SHA512 06e8489b943fc4597a530c709b582d70ce507ae1836c94dc93a82fde3588ddbf155adc528970258437db2265dcf21be76e3c7f43941d0ad7cd9c2aecbb53e917

C:\Users\Admin\AppData\Local\Temp\oYkq.exe

MD5 70fe5b0c8e9fc2d1c3e1337c46fdc63d
SHA1 2a67b497b78da63a9a5bf6d082cf5decd5cda8bc
SHA256 9475ebfdcb54df35346371de6067af148b07452871ceff0c31c543f6b2e418d5
SHA512 ba7b08cd2057d515e2c6ff6d33fdb93e50206506f11271f4d26a9af004f22f5779ebc78d2dbc4fc24d53683c15eb7e11158aee79aee3c261c563dcee306ed7b4

C:\Users\Admin\AppData\Local\Temp\qAEw.exe

MD5 c4e6c8d652a218da58c4d6eb2805eadb
SHA1 0a470a21fe2de6c9ddf91b29085bf9f2a26f32ba
SHA256 5935e405cb3c70575fea823af8b4cee90080434a6fb680639f5296d1a7039372
SHA512 b4cf62e27c34a3b86560292552b64521a1af76345ba942c6516e07cae7e00643bcded52aef65a22a643029fbdbc3d0a3de14e314d0208e047eac76948d94a31c

C:\Users\Admin\AppData\Local\Temp\QoUw.exe

MD5 7ab4877c78c5b34037fef9e8b82414df
SHA1 97e8118eac89968f90a06ae16a2caa0d4ebee88d
SHA256 b88ccd32559afd34994e862c5daa8f285e62e0c8163e85bd3fa97f08a9a10c81
SHA512 f4489fb90828b05a29a6015186e78afca4d992c9711337ddddf9d81454bb9d0c3b8caa267eacfc0348dd85e09c7f299358c8b1c5054d3025843e2fc9909dce18

C:\Users\Admin\AppData\Local\Temp\qkMW.exe

MD5 38b9926d96e1ae1bb8a895ef13c1b19e
SHA1 30c78b3991dae911584a0dafd12d8cc3214960b9
SHA256 1edffe323bdb4c116e4839a8c67f527ef04b81489525d4d5a9541c5c5524b51f
SHA512 bf9484b35823b23e319b52d78c22c10805712054d2d372f206f5d2728b937409a209bfa8fb5b95e4b33c5ae567fc7138f2c74814c522fb7433ad80e8490029cb

C:\Users\Admin\AppData\Local\Temp\MkUg.exe

MD5 bc3afd72e28f2052c7a5b3802fc2ca5d
SHA1 f97af224e56503e523821dc9a7be3deb1bfab702
SHA256 94377f0d995bfb25b407b0f7db89a2a17e2a5b479c9c5a191eabdeaeca6b2f39
SHA512 aacf8415c14c9d2fa950ad9266e325945b4ce6a60a6b8ea2c4ae5b3d47032742d39ba2c6c63d83b90ee168a19e94df6a29a71ddc10776c5ba53372cf71fc3c3f

C:\Users\Admin\AppData\Local\Temp\uYkm.exe

MD5 9638dc7579e9fb21cb4bacf86442c36a
SHA1 1a409736c5655887e34f7834ef78c37190feadc9
SHA256 a54cf4ace7a12a3a15762c48380aeb081c1face85badf5e80f7ff001cc80260c
SHA512 53125e754965868b27c96a1837f59eb91b76ed42cd6bda942c1b703dae5ef035fb22b72b5c2f068874b047cb57929ba03effdad7ecfc3808254261a5c7b40f30

C:\Users\Admin\AppData\Local\Temp\ZwkIwswo.bat

MD5 35eb7fb133886ada0948c475197792b2
SHA1 535248b56d09f4cfbf23aad2cc4615dfd4de27e3
SHA256 c22e5f26c9643f5bcf011472e9e2ec36868846b09ea03f1e13b5d2e12e010f22
SHA512 13536bc5aae8150e75d2c99e933ac548b3f022bb02a22be2cf86bed2ce4708615227e20ca32022c25381fb42d356b09b649b92cc66920d515e22ac277e9c0999

C:\Users\Admin\AppData\Local\Temp\QQIi.exe

MD5 d698b8e956f60acd3150871bff3fa399
SHA1 e98bc20e16eabe51baf084ebd5ac1f429adda51d
SHA256 1a673a1b69244203ac8b3bce785583d3700a40d17ea7808e759aa0d51bf7839a
SHA512 61e22e93fad59190c92443aa9ad3a6a5c9ef2de2a1938cb2853b4ecb42314b7964e4ac3a15ee95a38b9016a07e7bd345d97ad06cd3ddf7d9ea35e11a24ce9c4d

C:\Users\Admin\AppData\Local\Temp\eggC.exe

MD5 3d26803cc8160c3e6254ccb1206c9d65
SHA1 679f00d00b0f9f7dc98e050749e6280b07376ec9
SHA256 848c6b9315f59473f3ded3e9dab2d9da058866c7575c5c2465143e7124834130
SHA512 554dd2526cb3ed744a0182d58956cda4e69587c8a36a0a392e362642956195b80a81dadd2f5ba2ed285af3c5ee48187f371e9f76eda491f83e1f69c42993cd07

C:\Users\Admin\AppData\Local\Temp\CMgk.exe

MD5 e53ab9b796b4ac36ca48ad20ed899876
SHA1 08649f1298af267d44a3a15469394bd489ad5d97
SHA256 ef561be6c78ab5bd7a77b61a9cb9b071a4ed6713f205a84c1156d7ba22e9efe7
SHA512 bdcc2b2bf455baa1c1e91a90d42331f3960d864855cd4cae0cfef42bfef9b2b524687184f5f08c0e9f410039329c4d8ee76ad8f38daa77c931d96eda05c45deb

C:\Users\Admin\AppData\Local\Temp\UskE.exe

MD5 f029f2c955c699ecc4148696dbee6448
SHA1 8295cc5d3a07b32aed63508a5f987e4c40e1350c
SHA256 4be9d8dda4ad40b068a20c9a4ee70e08dd9fc2dcf7b3cc628ad0b2ee9e130031
SHA512 8b32536fb8acac03522186977bc7106c7a00b5335d778a48ba42c85aea1a0bd2af46bc275f3dc72f70c86296f7397df474d28a225df36d8aad6eb09f247bebb0

C:\Users\Admin\AppData\Local\Temp\wkwM.exe

MD5 8facf37ff8421f78138426f6b08f840a
SHA1 ad63363219c68929a4ff6a097ccf75292e85e83c
SHA256 3a723faccfc8c57d14f34c7121165c4a5d013dfa2b8f17aa6c9fc29e5bdda7e2
SHA512 6c8e79cb9cf0da8581ab7ed121666a70fe32def96099f3e5e3ad9f5f4647749c35b74e95efed46f9169550da31678a9a536138509765166e9309704b66fbaf8e

C:\Users\Admin\AppData\Local\Temp\wIoo.exe

MD5 6c396d1d40a3cf3a2327389e77e0b507
SHA1 e2f61b5bf22f80a43f905d7e91c81e0c5f8dafb2
SHA256 3d2de45bfac27e1ff9460c59e63e4bc344d320d2f5abc86872111750367ec926
SHA512 f345bd271f8d840842800d347fd1ac35f118c5d8e1035846479ffc84732035862130aaa83cecdf4a4276ba5da8716d0cf108243337eae0aa143547cf658cd758

C:\Users\Admin\AppData\Local\Temp\kEos.exe

MD5 d9e0efa2233a448deca1d8868f23ce80
SHA1 00afeb5a3f92bc5e5982e933bb5d5a689b96c9ef
SHA256 7aa1245dfbe48ebdc23679df1e2e699dd4bb5541e127768f5135cf4d5b6a693b
SHA512 3c82d6d2783774508efdf346feb858fe0d5b9dcd20e902a24212115924ad902243d86aea9f2f46fd427abad6a3771703772ede2a323d30a16b423efbc41f6cea

C:\Users\Admin\AppData\Local\Temp\kMsa.exe

MD5 512e231dacef138c8c19fc2c3fffab00
SHA1 595348d62919d9d1a9f925ba1a5086920aeb87af
SHA256 b819da149467e72c9d869fdd38dde400ce49b23b2e322813f88d27652e92ade9
SHA512 032606bda481a50524ca38e9d5241e98d03869cd24760ed86ddab22d66efec630c1dec2e1bc1acde29142d1d6360990e05a638d67869c1a8e54e5f40fd11712d

C:\Users\Admin\AppData\Local\Temp\Qosy.exe

MD5 6be404df504e53efed646f3673b73fa7
SHA1 3d9a2ff9456d96a44d2db61959ef0f6266fa446a
SHA256 61432e0cf6350131d08f90ce94c8c7878e7c84aca44a3cf09c69d7bbe7c374b8
SHA512 2aa47d10aec0406aa99d5895dc36773a32ee9fcb638f09e1eac9c068454bcd1ba8872fb13c53fbf49e0a9f859725ab33c17640292387fd27aa365d1f2ae62648

C:\Users\Admin\AppData\Local\Temp\poEwIcsg.bat

MD5 ece46c53af45815a9a4cd7b8c854dcb1
SHA1 0b4e3e78e1f4ec2aeec693c24b44e17666a018d0
SHA256 bae333e37d69bba8562a594460c97c60db20e74b54ce14d56c253e915a5de61a
SHA512 5925b9b257dedef2cc160b83fce4d55ab0110f8a4ac41165a5339e64de8467b5b38477d75dc0a67ccdd5be5c71901574553f7db81be67f38b698c66990aacd34

C:\Users\Admin\AppData\Local\Temp\KIEe.exe

MD5 ae1579745bc57f37c5b6ce696adf6ac5
SHA1 d50f310b61b498fb5e4e5e77ad48422f3a6d92d0
SHA256 2c2eafefe1c781976aaadbd6812c57a41ead61895584f93c928ff9808d4a06a5
SHA512 448749e7ff63d30edf530cc9a213d38a25bb556245635e2a3d8857ad753f7d600119504a5f93ea9f5291815ed2876a1a4736a8ab6f9efa0871bef1bdef36f86c

C:\Users\Admin\AppData\Local\Temp\ewAS.exe

MD5 44e2de7ec019b8765905886643b5858f
SHA1 1d544f0c9175529fa4855b31aaa73902e12d0275
SHA256 6764fad52fb59f097a96a597e3e5b64851bf71ef58e6f2ee2425e1a998d8b26a
SHA512 0726608085ac957232a567da6ada60edd9b63aa27e94cfa4ede1b4402951ca6f324eca958f640fdf8c15e14c6234b19557411e55711d520190f5229bf7100634

C:\Users\Admin\AppData\Local\Temp\sQEq.exe

MD5 32996c17aeec3166abb89d9350be9e2a
SHA1 63067e73b4def047bcbc234c801f8faaf4401d21
SHA256 213423768d9b0ef79bee974be5c88ea74bdd17a0e83371c7e7cfa986dec2c637
SHA512 61ca1f70e4ba4e8f90f413d613d59b93d79f816b4d5e693f4475c951d3036bcfc25acb220206c01522a79db70796703bf7e8015d517aeba7516a26bfe1c90c98

C:\Users\Admin\AppData\Local\Temp\uQwE.exe

MD5 0dc403b9c84abe7b205111db6c9adc12
SHA1 6fb4a8bca766342abef13ac1b9a50e7a54ad8466
SHA256 9c47780a80de65d79be339162e714d1a3eac147e356078ae5f0d599619961cdb
SHA512 760a382fc10064f66b3d99bec898c86be19f9dc41ea8c7450e6c6036719f41c8a8e905110ba13e3e648d4097f0e0a3bb7f050646964276705ee4aaedc3697dcd

C:\Users\Admin\AppData\Local\Temp\GoIS.exe

MD5 c7d0c1b2b0c5b61001ac429bd8648cea
SHA1 aecc236fe4de92f20944a587e76096b674578dbc
SHA256 9729d3aea86709f03722f5a51ce9bea00f397187011876c87ec19c028d2fa5f8
SHA512 978781f43e0d3da9f912167fdb627888c78bd0d97f8b623671ada77a10c85f3bbe6616899015c6f2e80ff78f7313c796ec1b9125fe00969c0c9bdd2480c9561a

C:\Users\Admin\AppData\Local\Temp\Ywgg.exe

MD5 6026be5ee9ba84496235aa81d8a2fecc
SHA1 d8a94b44bc70b59834b266fadd2058d522e9488c
SHA256 7b1f06216e9654646658d8d451375ba2ac8dd85e820d39a38073e4790073f126
SHA512 05a0a2546b601c37c9df82cbd3096d9430f9c21f9b335d651497d0f89b7866fe94224f1e0a39c87cfc47ca67729abd573d1bcdd28d5d1fd196422eb50967165c

C:\Users\Admin\AppData\Local\Temp\YsYe.exe

MD5 2518e29bf96f4bf8b7f3f85b0a7c137d
SHA1 dc0da86cdd01bb5ae6a63e84b9aeb58de365db28
SHA256 2b157e123ad180d182620b3b56373d7c55cd60a14553ca548e8664decb8659f8
SHA512 342933bad25d3f350e45b7ff34f85dfffab9fe280796dec4d61b08e074f9bb419e3de7cab7c21fb2b6d589dd70bf393cb3f022ec2289164638d0304ecc1fedd3

C:\Users\Admin\AppData\Local\Temp\QwMW.exe

MD5 a6db1dcd6872c50125103d986a3341dd
SHA1 30d203bb6cd5d6e5024d06584161baf8a9ab95ac
SHA256 20f625aec442fcd70a78e40d7f216ad4e7917a36c1c1129fe936ebc84fca6730
SHA512 b929a2590b1edeafd4a9cc8d3a05235e118287ef481c41fcc804d2479e75f4fdc3ef41753da05be7d7dd3fe2b11f7951d331eb515c142e0a870621b0ee36be48

C:\Users\Admin\AppData\Local\Temp\QwMI.exe

MD5 fa734c794d298ea38dd60a43871b05e6
SHA1 3d0761b756f39628e62b8c9eb0c84cb4c534f4ed
SHA256 b4bb803514067094d381a5baac9b44ec82e0a501cd057d39010e00d150048cd9
SHA512 2f533516fccb31cc9378f5f75bd41c87713503b6981b2960899aac073343fe8a96a04a27ff72000b2159b07a2f46c98ee33f5e75f3f3d3917e948f6f8be81af9

C:\Users\Admin\AppData\Local\Temp\dOEEEAYk.bat

MD5 74c9d09f74d07a2ccda19cb5f037240b
SHA1 070c30fde571f080e84048889dc05327d7e2b8a8
SHA256 1abff3745cad3c038afb40545704925d35d56c127b2aa960643e3b706d30cfbc
SHA512 482b58823f00dfb0e44b8277c0d4daabc9cfc673f09dc0aa018f920a88e1a92b7b3588ae14175c8a0e7895b730763ad5e59896b7f706454276fff285e30549c9

C:\Users\Admin\AppData\Local\Temp\KkMU.exe

MD5 6235de9bb7a7fb9760e3d440d9990df7
SHA1 542e2013605f9164622f7320ad47ae99a21a099f
SHA256 6eb2e01bfb98bd76df5187952f3897fcd67742109d05e4f57e604e67f18bdc49
SHA512 97951df213aded694aed7461cfdf18e8db85e5228898603520a4f40b57c8c050a7de07c72efd6c806bcab4a84b4835e59b46abd5cfe93bc127c84d1126a11cfd

C:\Users\Admin\AppData\Local\Temp\wQki.exe

MD5 af462c8d5116bb03d71f7540b743c9da
SHA1 421f3f4cf487b9b4a8fb64dd3d54963517e06395
SHA256 366c75480d938f1f8eb5b7e5065904ce0b2bfb8fdd1802696a8fce45aae85bd3
SHA512 e881f6c3c47f571df2a09be27fb491dab3f82fc1a39e751e31e5e1b9f6b1640463377cc62aed6393007f2349cc1bd123395f2896312599c8c106f2d1c75f75e1

C:\Users\Admin\AppData\Local\Temp\OUga.exe

MD5 db0287ec11cf25a77d494b305b301a1c
SHA1 1d7ea612a47c7aca344cda4241a1291067376a96
SHA256 c22a540e717fe1f9bd2ce782c548aa2cb10502823bdb151018c94fe081a4e377
SHA512 b60a67386de61d9748c4ac7fadfaa0e2ec25e6152e339204efe1308947265feb8cb54724d308a336fbbc71c89354f88d57459bb34e6bc8310e12690b8ef6c5ee

C:\Users\Admin\AppData\Local\Temp\ggEC.exe

MD5 ecd7ea7a93ff8f2cdb76f4604cd38d4c
SHA1 53092754eebaa7f5eddffe8ad826668d4690d7dc
SHA256 ccf9ecd728f7c0060ceda2149e54c41eac1a9f9b446b228c7c722d4bb18f7f95
SHA512 b40daf9d21884d96ef877d5914b85161d2a078de9a66438fa05a8c81269ee5a7077831302148b2719f262c22e04ab804d275d3cb8cd9c02b860dd0e877306fd4

C:\Users\Admin\AppData\Local\Temp\xOoAEEwk.bat

MD5 947b03661878aa50af8fc9a1ce4500ce
SHA1 442843fba9471c100a06a731d056a75c0609dcf3
SHA256 cd263f1bc29ec7d419d29cb23c69ff841097b2bf06ecd1942de9ef6fff6bddf6
SHA512 e5ae64cad0bc067a2bf0e79d82aebfd8cc6eefa622856e5e5608d7a201c7f54a9df76592d0c1a5a2b67a5cdc50be8121dcd83e3f1cefbd6ad815cd89a7d52550

C:\Users\Admin\AppData\Local\Temp\Accm.exe

MD5 b154ac4fb41167894e888ed092eda383
SHA1 956f287c4506af101b0152c58a0ee16319b7cd67
SHA256 e4ce94b053fea89e9f01dd095b38d4a3c299c7c2b61c16fd9c3211a2540ae18d
SHA512 a11052279e7e9054059938c5cd954ee9699e763eef462aafea3c3c651a6f237767258f1991d06ec40ca076a08a907c9bc29899a71eb9d662fabb528159cd294e

C:\Users\Admin\AppData\Local\Temp\msoA.exe

MD5 8b34315078b656117271a69a02e8ac48
SHA1 215d038b56c08362eecf0493271b0a984a03036a
SHA256 4deec666760cc1060b462a0e7bc11a452ab37bc14cef91947f18969602b2c736
SHA512 23e89ed49176a71407e13060b4c5f1218de5b3dfa61cc3f6485fa3809334d5022ac8218f2b821ac5d0e49f6ffe5da7b54c1a52001753650a41dd31d12211fcb2

C:\Users\Admin\AppData\Local\Temp\Mcoi.exe

MD5 bffebf8f831b7ef25c7b664096575db9
SHA1 b2905ef9f093a2194eb2415e79eeaa2ae3762412
SHA256 142316cafb520495750d2a74f98e2e898ea7f9f2fe5bd9b758bdbf578a81b4bd
SHA512 b37e5752419862111ea65476a878d4377aefbd61ba4ad480eb92926bd056066e16af59f34f2dc3c45297d31f722a927c4e1aa2a7f65908f681c6bcb2c81e5d04

C:\Users\Admin\AppData\Local\Temp\SwUI.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\YQUQ.exe

MD5 ca5c7ad65dc91fdec55967301b10a6c5
SHA1 b2f391877c88d3b6806ecbf15af4ef32387e2434
SHA256 ae59e4da33eddf95ae6348a8b8667c696bedd794da90dcb4c4c72343f2168196
SHA512 170bd49368faf5d3341a74a6e3fc00fc10b1fe0da2a04a632a4337cd98f171cbfbdba921360a8efc545579c7f57863e497ce8085d55125cfb03908b82ddbe230

C:\Users\Admin\AppData\Local\Temp\yYwi.exe

MD5 4939b967bcb13bb502ca9fb658a3c1f5
SHA1 3a74a1668eb98e4eac5e528ff7593c8b5861c797
SHA256 98dcee4c8402c6d5296544c13fe2b2ae96946f7ac82115916a795235a3c5b651
SHA512 5b7de178778a686ed3f4aeff39eeb14390f1b3fa3fc9b2e9a8eb5094ac87b7b1ec64d31fc55b0c6d567f6f9acf359f1cacdd0b798c478ff740b3a56c52faa43a

C:\Users\Admin\AppData\Local\Temp\MsAA.exe

MD5 62e6db1641fc72635225f616f7feb437
SHA1 3c8f7ac88a9feeb4fb0cb7481cb81f5d179b019a
SHA256 6a89847d223e46495f799c68b0abcf920af25c45f5f34a686091d3e6f70a492d
SHA512 2c5c6ff7c9362708803ec074ce471265b7fe609319b5795f30cf1bdecb86dcdca429dc362f6b59408d2bac7c01114ee04bd5e4ffce15fabf605a85892737dfe1

C:\Users\Admin\AppData\Local\Temp\gAkkgUMg.bat

MD5 372a9b670431077e7fe12aba80dbbf92
SHA1 358705e1c3d89b1e69ab6cc51e77bae7255bcc3b
SHA256 2eef9f414109bac567a773971504c1d7e46b5f1016d64143a0426eca2d8b418e
SHA512 39d5f02c128228ea4a8035400a69497becb01ee7512636ca7b92af4c667e01261e652594c806fd2b5cbeff66e7ea176248a18ed71d220608233ab7702b03dcbf

C:\Users\Admin\AppData\Local\Temp\AioIYUsc.bat

MD5 9cc4a296d2433f9a714fd416c33ba799
SHA1 64d182937b25abfe40a63224bac656fcc97e8c90
SHA256 79ac0d0194a4a1796d6efb75684ca4aba095d7631aba1ebcc0a18cc39aa692d6
SHA512 5ec1500aa947bd8d1b975503b9baae6121f037408e0d5913e8c7b4aceb6f423d1f651cfc82dc7e8ee7ff368aed0b99ea6cc338aae311fb793c6f4b5b3dbfb2b0

C:\Users\Admin\AppData\Local\Temp\gcsoUkUM.bat

MD5 6dfcd32c067bd1bd2178c9df234be2c0
SHA1 5b19b1c61b0f7eef15f54f4813ffcc847a7ca01b
SHA256 144b095e32153af28a13be40a12b75125e453bb82576bb51dd2410a9ffe91d02
SHA512 314fd4b5fb8dbdda119bb46b5f4314433e8f0ca8f7307a52fbcc29a9d5d5b76557a27e32a269b0ab717cf4e71d9b09ba68d0e5cdee2ea0d07401b865b1aa5334

C:\Users\Admin\AppData\Local\Temp\mqgoEkgk.bat

MD5 3d8482843dc4fd5fd9136ac83df4f2c9
SHA1 9ad34178ce0a1f69d726b411944992a6c0e5eba0
SHA256 d80b84ed48f2479baf87c105d47cfad7fd86fb0cf41ff135088adc3900aabc3f
SHA512 52672fcb93d1053fbca46483fce8902a88e73d88a4e8c33af2635dc3932b4a7d9ecb4ca58134e9795c8d8b2577f6287ac0ca5b68431783796af19887ab4c9034

C:\Users\Admin\AppData\Local\Temp\vOwQwssU.bat

MD5 c1f50d77a2a4ccf7bd6168d1654a119e
SHA1 99b3ebac6f841616cfb58ada9cc8f0de8a140e77
SHA256 4d1c10cbcd4695125551e4175bf19b14c26e1cb4f97e1d1cfe9695e4f5510fab
SHA512 ac5e593dd25dc52ba3b6ef52816fc10e45a652cc5b91af6a5f992aa2df369ff3ab2d2ab65dc21a739dc219f1ecea7a581c6ca6284188e85277f10261a2c20d4d

C:\Users\Admin\AppData\Local\Temp\TSoQgYcs.bat

MD5 8265515dc2ef930a8e666c8dd3125082
SHA1 cdfa4beb66750e07a57a0be7668031528f1bb25f
SHA256 686a1e6b048e6aed682d7812663b0f7e674f94a3ae8db52ae8150b552629b8af
SHA512 85777804cb99e469583117be7679d594970f03825b3f2127bcbc136fa6ff540dc49b9ad060c37ec79cf4783385dd41a637d8ddc57e7cd848e4a704ee6cd2d769

C:\Users\Admin\AppData\Local\Temp\RMMsUYsM.bat

MD5 accb033331c6aa0f353313bfd42b43f4
SHA1 7c30edb6796cfebb13e88ec8c702bc217e40c4fa
SHA256 8f55dd4f10ac575cb16e57359dc3006b5918d018a850f7256c0567af82c3e482
SHA512 156cacede482d4b95daf60eee59eb7052bdb80ea8fc6a44d25cab95b2d0b06f54dcf0ef2fcb013cab5456d2c6c57e6152c32d5fecf60e37b34297fb9d4b35e72

C:\Users\Admin\AppData\Local\Temp\rqgoosMA.bat

MD5 844a36151acf5a092aec73d334a9f588
SHA1 3b24d96e9eff1d3a9c7d98af3492b47e47e7cd05
SHA256 c2d6db12704ea7b4cabe8d75de58b02a8b5c8f2da75230cfcaddb25a89eb0157
SHA512 f04c9d2e549ee7b73a6eefdbee4e50ca386b3467ec7f8281c31e41b4c42afb77c4b962e44d1f768f7ab1bb2b05ab4cd94fc5b2bd89fcc7695340e13bea0b1379

C:\Users\Admin\AppData\Local\Temp\kOAgQIgc.bat

MD5 e11c92e507bd45feef14a2b7c2aa0586
SHA1 ff505a463668390aeb9b5c19b74f303e824367cc
SHA256 a55122283b437463120db86adbe97097d9dc710e5da47fee26570410d260be0b
SHA512 798a478143c79b7b2cce8f7cb971bd7b649d56cd3e7fd030286fe74b4aff4c43de87012f5d75ce6a89d051d746fedc8607eda8fdd76ff2d2890bc4357ff9d414

C:\Users\Admin\AppData\Local\Temp\mogU.exe

MD5 04536b1d051effb095da596401959f50
SHA1 7b12f3d040a671346073f7110cb019ba4c83291c
SHA256 7f5f106344e94a6e3c374016697ff06f91dc827dae7c35971be11c5c34d906fe
SHA512 ad6d5d93891d4c16626400fb1917d95fedec0b0b861da8d0214a9294269e2cb9698c17140ffc3c50c70a99bcfef1f62beb90bd0a021479fa5cd486196a355a70

C:\Users\Admin\AppData\Local\Temp\mkso.exe

MD5 d87048e36fe91cd827f1e6d04910a8ae
SHA1 db7069423072757847fb9efbdfdeab064075e512
SHA256 d933af853ecb9cb67a498c431e4a2bcb0e7ee16582713798ace2ffee43ee41ed
SHA512 e90e76eadcbfd8e7b185b67226be9717a82f0c47f9e2c2492b05fc7194344777844a0941cd0e968f76dd7786061ed335e14ebe6ea4364d0cde537cf1f4d441e9

C:\Users\Admin\AppData\Local\Temp\CcQa.exe

MD5 68d1ff2d63d2ce446ae3822bdce2659e
SHA1 8199e4c990e2609dd36e05fcf38bdb79d9ce1b06
SHA256 87514146bd23eb6d9a3270203e4a2491f04826c3eeae43e521fd7b3f0a850a2f
SHA512 d9ed490b5554917f7420bd706635ecf0790b63ad3c9078cb7ea0f938a6b03802205fd9e479660e05badc2163866581ccb973416d0efe3c0ca01f3a9df65b6a7f

C:\Users\Admin\AppData\Local\Temp\IUQsEsMg.bat

MD5 5802cbc4d788228c31245d5c70756017
SHA1 2427d67b970e2985309becb26755813090eaef16
SHA256 76e0f3e921739f9f7eba74a73160dbee44ff093601198b6a1ced6c552df2be94
SHA512 fe644f6364af3ffa7a06acccd97ff9ab1cee1fce113aac98b62e3a5f59245a0b8485318cccb0724dc78550e98b6854803202f00c0f1ed36dbcd4d62a82f83634

C:\Users\Admin\AppData\Local\Temp\uoUM.exe

MD5 738ab69676574717ba8c7127b47301fe
SHA1 4662d7b90b51e5a16ffaf5c07b887840356e6dde
SHA256 9d816183ba0c24731c0d87c4d333955e1c42c37be7c8f260b843b78768bb47c1
SHA512 a9d43f599e24008be7db0a2ce2888b1f21830a7b612e25b8048e17e5c691321b54b13ef632ed45e682b34a4fda568c11576f24ce8d2ae3746e8ffaa4cbcb170a

C:\Users\Admin\AppData\Local\Temp\Uska.exe

MD5 46064f37121db31589f7eb5ab1272861
SHA1 dc562871abd53bcfcbee858cfd2d11400f27ed9e
SHA256 abf414b229fda1243a99587a7a337595d3eafdec5954bfc83136ae6347640d58
SHA512 69b9bd569beafc2ab62bea5223a173a2816f0a8c5104c5c675cc3461c0714bce6ffb5b602f3f33cedd05315aaec400483580f37c569217432b3d53f5ab91a218

C:\Users\Admin\AppData\Local\Temp\wwwa.exe

MD5 edfd24f3acdc71b2f5d7d9d4d0e9656f
SHA1 ff2d22b04545ca81ce39f9cadc900b20478320ff
SHA256 a94af4a3e46fabbac1fc0ca9320029bf0b65a93e356f0ce6f3f6c9ff7575fb17
SHA512 099938db52fc11d855a194b36495d749d915f3405e9e2178eecc9700c0c68d2fbb001f9f52c707c5723346cd432c98dd48b62d695d08e4d0bfe42194857a1d34

C:\Users\Admin\AppData\Local\Temp\kEIu.exe

MD5 9573f5de5fe7218ea8638f453fb77d3f
SHA1 9742d5b74f5caa301e44849c9642381d51111032
SHA256 71a215cfca82e554baf678c585e254063fb4516c3e280474f198f82e06de4347
SHA512 20764944ff3fbf626f68b1d90cd437b920e817d545ed79bea9477880c03ba6aa7513899e57b2664113f0a91d44fdf13d0bfe4ebbb8e1cf035ce7228343bdcbab

C:\Users\Admin\AppData\Local\Temp\uQQs.exe

MD5 44ef569ed9a7616c8289eb34b247e633
SHA1 a826cda515035bd360e04009351161f50193c562
SHA256 ea6e49375f9cb221dac5b13b6a6364af3540091eb166929a3e0515ba5988a049
SHA512 2ad71b3417f67c7733ab663462c400ca32b91d63f14897c7af53bcba09649e449141b4edfe17065b263b5a0e0b53934a3798f37a314171800fd0c7c94f6e9fa1

C:\Users\Admin\AppData\Local\Temp\YOMkMEQo.bat

MD5 545d2cfd5a4c2f86f1830d6c0a16bbd8
SHA1 74c6ef1353bc8baa65201ef680335ea4626fcfed
SHA256 7d91e2427287af1836e69ff911d770fdc98870a4bf500ff9cf38a4ab9697ef5b
SHA512 652ac58adab4a43489aac084afc348d9d2d1db85eaa396a98441ee06751d50dfd862e30b6d5383e9bd507abc0d18f4baa705e1e209ec848f8ff65cbda234687d

C:\Users\Admin\AppData\Local\Temp\MIMW.exe

MD5 d0d4860c675ccdc3ef78934bd5901282
SHA1 80779acb27cce2b5fa10485bc6d286256b09fb2b
SHA256 25e7fcf4fe56856be5514c6419b4d42ccfea68eb0f642c4c1814a51805df2af2
SHA512 7f00759e7c1a23d358d515424e102451ead465df988e6879f088b33c3e23bed07fc1ae0de68738c47d66961ffdcb2e8715a3c54d1d428c39a15d488ea07476b2

C:\Users\Admin\AppData\Local\Temp\qMYa.exe

MD5 138ffbb81a1ad279a751bc38f9e0aee3
SHA1 b4959fed2ca3264d14e7863faca274367693edab
SHA256 6fce3207d89479430c06de4fb922db8190f4fbf7c2f62ffaa010fd35a47e89e9
SHA512 9f87935c39f999fdd9b5668742678baa6109852db501c00a71c2d773b9a651bb64260d4a5996d923e319c75f9a8d9c59c8ec1585307de6021eb0f2f032ce42c6

C:\Users\Admin\AppData\Local\Temp\OEES.exe

MD5 f5746025ae453e400d3e7888b90c3bcb
SHA1 ef7d88dcba14e6b47e068b2a82261a4509534ace
SHA256 24b7909709d5dccc4cbe19d31a2d94da549e5fd5bb9820bd6dac29bfd2d4549e
SHA512 711d4edbde56a44aea318a2073bb571a8ea640c4704e34cb12c5e30236a74b9dd356bd88abdb35ff32ff95175be544ed1f9ae92fe1eb47f1be705b9f041d2ae1

C:\Users\Admin\AppData\Local\Temp\UccIcsoU.bat

MD5 de0bd0e4bcf8951da263f34c33ea5763
SHA1 9f8e096412b105e845eefb643b0cc40d775f9063
SHA256 c6580a7c519bd8b2ecdc1f53da2224f517ac5b85cf189d55469c590ad2a5b718
SHA512 e96dcd67b174b6422fae80106d4a68f61115d155b3fd6e0fb0c52cf2baab04a2dede94e6ed2c0532261ea87776dbc1cc70f3e83ca0a9f8b3807c36f09599c26b

C:\Users\Admin\AppData\Local\Temp\CYwe.exe

MD5 6d92eb63ab252226f846a9f591ebab70
SHA1 6a7a98fe08bd521e597f3246c35f9a5dc8aedbba
SHA256 7af959aca9c9645f5c02d848a2366f2c91f969317c1238922258daba94c77ce1
SHA512 b65474e136b699553680822d7ec10c2a1a3eb798c7a08f755918321fd7276b04109f1071128478c0468c04c2e02902cd7f47127cfcce54a0a5b51afe657f2188

C:\Users\Admin\AppData\Local\Temp\KoQS.exe

MD5 daec44cb4532e3339d23b5b7f8854890
SHA1 30d4401d23c0a049bcf6393c13ff2e2b9183afde
SHA256 6ca6a23f8b2bd381156bf9a982cabd85daf0d227824f4a1d8fe6b13d3780a2c0
SHA512 0b6524252561791f11df40528e5f3a1cc6fc0b26b49b50cbf976a42441d5c30e18e76a493d74c5e3ae67439989d423d4967c894a68f1919318e48076b7cb7c4d

C:\Users\Admin\AppData\Local\Temp\oYMU.exe

MD5 f820b764e5f4853f77d89f4397e0d3fb
SHA1 8477214c7df4def68c44ef393d63e5be9aa2a5c6
SHA256 a3ef37f6a9c0e39484685433bd26066e34bf3346c7bb7777a048d0ed35ae227d
SHA512 042f249ffe15641ca0756dc164a846ca313b79a531a8f55a8cb0305dba83537a50955de322e51cca76c85ce65f1e05859ee4190768b8716f93d0809bed0f9da5

C:\Users\Admin\AppData\Local\Temp\IwgM.exe

MD5 897e52589674b22cd9a3e2e05f6235d0
SHA1 3f05d0456f907079b333ae72f1dce0bd83d4c688
SHA256 a85b2d01d80785ba01a0d0bd5bc0599e27fc46b314d86e9255d4cca05239ef83
SHA512 86444537a0781ff0c7c2e289719980ce4aac1359b4822c0729e241b488510706a21c2e8bbf83e2db481ed805490e8e6e810a29c19a90e87fab045982613f94ec

C:\Users\Admin\AppData\Local\Temp\nMMIckQM.bat

MD5 7ce0bb211498d6a27aa90bfc7b9a4d69
SHA1 050acbfcad860f0d9f9d21dc01fe6acd0f911f14
SHA256 85e97aa40ff1c85d58f3905989510897c0d318d2a39d2b74008b9c4c73c00738
SHA512 594d48f0929006732e392a2b4889816a805f32c89882f0f598c62e5f71a9b3a4ef53a310452ec57f9add4f0d1be499f8c07fe84db96d5c890902bf88fa04bae1

C:\Users\Admin\AppData\Local\Temp\Qsok.exe

MD5 0daef9db547b9e63ff342f12a00048b1
SHA1 19e3fd504036b1f740bb28f46453fe48da4d9101
SHA256 728426af162839802c6f510cdf67db98952d49cca0c3b673ba5d063b7d77f7c7
SHA512 1565680f9b1662034074533fdd331baaaeef60cea106580fca5d39ffe1f946a8caed3542652034ea7919831255bb127a2fc5ce97d6742c46f73f13d1c39078fa

C:\Users\Admin\AppData\Local\Temp\LgwsIUgU.bat

MD5 18ad85aaca8fa86c5eabf53b955856d2
SHA1 0b3dd6040e20b9b48baf9594de6a7e0ad4f5cc6c
SHA256 655e2525a6b7e4a08878e99d36a2ed39b362f35d4b58edb1fceae7c4c17f2c03
SHA512 bd37aedeb01178062c7342d9afe9e0d50186c603f5288296832e5c5e0aa2ca3ca0c6282708aaf484364433880331be877826aa30ecfeff7e88494b2228a4a05c

C:\Users\Admin\AppData\Local\Temp\ekMa.exe

MD5 87329699afc2ac1de315d1edfdc4b0ac
SHA1 e048b073e446778222cdc6a314c47abb5b904bb6
SHA256 b668f50e34ffc78d7a1c7fbad92e794d631b5ea819f084b6dc04fd41a31d3ebc
SHA512 ab08c33067b3cc83fee126ff2de290c17dc8f95f25b8ad342b1402f8582a0d407ea7d0b57a0f0c5cf6125af6430cf027d9cee8a2d2f771ffc030f7ca3c0892a6

C:\Users\Admin\AppData\Local\Temp\ccIu.exe

MD5 c75f2293b9eae60e7ef3c7b301caada9
SHA1 7f188175a55538060bac55a171daa3f1c467cbdb
SHA256 15d5d50a942fa15d9530d4e91cd8a4b83152f43c0f68275e8f7363d40bb5fc0a
SHA512 612124e6164e52939d24274f67b82c144fb1685f14db2e21b16163cb749d30599bfbeee32fda9c3761de7e0098d05839b9009ff7c79571391089a956c6f3a113

C:\Users\Admin\AppData\Local\Temp\sYMs.exe

MD5 7bc2c8466622cc9e5a649e82dd72fe6b
SHA1 6eefcf525b062f9a947a14115ae3f7f404f49bc1
SHA256 a43da8f57b91f6f4045464628e202c9727e306664cda509bd8384272ca809501
SHA512 eca404f013a597d68f15a47a8f75da71cb73c69b21423a683ce52992c7e1756e5f54de7c575c5e8012b50bdfc28e26d3a775096126cbb186f0d2f52cdf26b5fe

C:\Users\Admin\AppData\Local\Temp\EssU.exe

MD5 b8420792bc76cb1f2ab18ecde0e6992b
SHA1 c48f01bff39051bad180516238a275ca6bdd0bc7
SHA256 e02c897c22830eb3b1cb83d530f0a895e77fa1225b1cf2d48c34c813dbbff099
SHA512 f67343215466012cf40043eb046a1ad27f10f695c487b694445467c844af080125118610b097ffba8b3e1e5f911ba80af87210ebc65a717a9834cc5721fc164c

C:\Users\Admin\AppData\Local\Temp\kocW.exe

MD5 b4b8830a26eb157bdfa00bd54d5c7406
SHA1 86f5ca10852e7fd6c298182192530dcc25b32960
SHA256 3fd99d8e039a5cad4e371c5affb6ec1227e7fcecf5c0bddb9a10347e687de631
SHA512 619ce98484226146497c98a7bf5321dfb8649e020332994afc4049e7d849d524dc131cc1f2fde9ab2b7eae2e4330caf543a96f186dca4ad3523275290e63bd69

C:\Users\Admin\AppData\Local\Temp\daQIUAQw.bat

MD5 fa51d17ebd5464ef81b3ab40184d6247
SHA1 4bacd0a6d98ef9874d4ef9068138ce63f0dfef2f
SHA256 5968870c2021e01108f2df05cb9452227c773be7777d7d623675bed01637999c
SHA512 355a28de167508feec8b2019217dbb5af8ed8628fac13cbc9f735d4bc0aef14c5b3fe6ce503ab1015aedf9d779722f61674a602118c3e288ad0af4411ab522df

C:\Users\Admin\AppData\Local\Temp\ukQe.exe

MD5 9436859be1f84e48124eea8f397ee4a1
SHA1 08a27e8306db3667ed4953b52d1e9a8baa5b7eec
SHA256 485db900b87406a6cc1a479b113b39036e90b7d442c9d8f26ecd953115f9d04e
SHA512 accb09147ab0b3b098825d10c295969dd6e1790c639459544c611487a9e8f2b811934e0e1d6094d32066b6c23aa20ae88d59e4576c24a5f2f16ed5eb505ba7cb

C:\Users\Admin\AppData\Local\Temp\YwUY.exe

MD5 b1e86953d45f8322582124dd924b1d75
SHA1 6e33f05c3e5998645a91da5ba67e2dd71be52556
SHA256 759fc160c3667a2b20ad8dbfddb109a2c5c963de248efa5ce2e1e2e1655ee097
SHA512 df9b74319ff9620cc199be2d1fe180663bd410baa5e7fae133d6f3964a7d7d5f05d395327c2dc4a4bf985fa5cb4218e81b8d7b1b1cf3b4224f2449626b9dfc22

C:\Users\Admin\AppData\Local\Temp\gcYC.exe

MD5 faa68fce0d29dc34af84e66ab415cb5c
SHA1 2afac8f6df886126cfba921478378f5b8485f419
SHA256 da67aff4a4154022f2aee8219fe9f8852ff2a1a3a2adf88c0b264c0e8ca0c117
SHA512 d7b00d69c0e039c1c23004e05f7ad8cbb93af1b912a8e79ddfd2597bb325dce6c1e9bad5d6e63ed730291a05954bca30d758eb3d550c340bcf8cc76bde9e5aa7

C:\Users\Admin\AppData\Local\Temp\RikoQQAo.bat

MD5 4d2c2d4fa254e800cb9b6fcca798556f
SHA1 09d98d7dabbee0e131dfa896cf425a573d75559b
SHA256 42335d5c85b020f4834175515b37592d86df01e8c8b92e5c9301124ad0242fec
SHA512 46cd3f1f8928e0074312ef885f7e7d172a3528d0b7b94d650870b0a4932a780fbeadbdf89ace732ede152d9f658df07c909559bcc279b6dcd0bc52d175f80ece

C:\Users\Admin\AppData\Local\Temp\IeQAYkgQ.bat

MD5 00b71ecf41492155511a264feff6c38e
SHA1 899fd615e6b03579251dde7ebf440d02ede18847
SHA256 00c9ddb1a2366194f6fa8e27b5dd23f9ce6f5595f8290ef8e169c076a1408db0
SHA512 1a79d759bf9cef9b421e041f77b0dfc7f0180292aa137e3ea359cf070276b0f46a52a439e2276dd4490acd750b3e2b129c299192c0ea07b739da2ab6e92017dc

C:\Users\Admin\AppData\Local\Temp\MgAe.exe

MD5 3a67d3f0e8ee518075e9d45795ac1143
SHA1 bfac2dcc562a8fddc19bc25dabe2bea38519c793
SHA256 964bb9af0849f819c1b3124127a5d13f9873f8b0205e364cf6a2041b0031f2e4
SHA512 4d6bd67248192105a766386e5fcd581ae283a48f7071ea08c26e32a17324668ed97f92c7f15217d3388cd7f65c9e3bb52ba0abcbb298b3eb9803c74f33e152ca

C:\Users\Admin\AppData\Local\Temp\YMoy.exe

MD5 c2218d856c930236112684818fd5aadc
SHA1 67911088b4b435bcc5b18d981597e15a314a1c4d
SHA256 887339a7d9d3d9bf6e6d20026dc4a28e81874829f4362cfa1d01317975610e7d
SHA512 69ee1e2aaf795efca2d5e6b32985f9e3c802761b8587dcec2d645f60649b34b03d9fa35a224d373c4004c679c84262d659a5f9554561e5bee513e7d6fc6e5228

C:\Users\Admin\AppData\Local\Temp\IaMoEoww.bat

MD5 aed2bed8f811966b6f644cf008dc6ebb
SHA1 0484d5fe6fd599ae240b339d51ae6751dfaf9607
SHA256 b188492d7aea93e152d2dfe46aaccff3efc01dffadf89b7458fe92f549e79499
SHA512 221daec9a153749eba97e2ed678b606897e94845b60ef1434821d4425ebd1af369c2e4d441bfb0eaaf33b24e039cf9948ece091adf18af6003d76d4be145e079

C:\Users\Admin\AppData\Local\Temp\egQE.exe

MD5 9026b831a0fb310223fa4af679ca210e
SHA1 162246bf4f25a74eeaa54d72052260b6db3137b6
SHA256 875987a56e07f644a1158f7caaf861c07637bfc9ced4268f915ed972e87fcd98
SHA512 8c7eb1045835c2f57bac5593c9032a27c1b17df8a96cb84a4f4ff1ce79fdee1c420bb019bed18dccff2048ad000f628ea6f299cd0a444911493737baac4ac73d

C:\Users\Admin\AppData\Local\Temp\eQwK.exe

MD5 8a782bc0f498de16daeb101c6af8b2dc
SHA1 0bf6f7e52426074e62a797fd6e426bb26aff6492
SHA256 f0aee4edb93948a4b83e33cd909f9dd40d7769e467e9448bdf5f870461a50792
SHA512 ea7631b0870b5d019aa12bfa9ceb07113003be207361c404cb13e8c9a3bf6e4f1d7d9d5bcf143afccdd0f38f0925307bea3dd002ac8069a39eb0217b66d00683

C:\Users\Admin\AppData\Local\Temp\gkYK.exe

MD5 d7462fe2b45b5d80c81460d05c5df9ab
SHA1 cba880317e3726a933f17e9f517013cf47320e3c
SHA256 782c4e1692f003c7c373fb92c76b2a07e2d9158eb4cca8d86b5d30d8ee3d5dcc
SHA512 b58ad22cc095d24e10db2f9a2105ee9a01957f01be7596fcdfe853f3f2f004097db646648bb5a4a7bfdc29c474f82221f3f8be7f3ae5bb90200ce9b5b39849b1

C:\Users\Admin\AppData\Local\Temp\yGYAcwwk.bat

MD5 b53d21db8860364636e55d55c0905490
SHA1 7ddaf5edb0292f2710c03cf3a288c22a8f13ef3b
SHA256 a5bad58a84e1aa6a202f8748a4aba0dd9bcd896a123356fffcdc7c02df4d0e56
SHA512 fe5ed4a969529e08c3665683b4aa4f314d3aee5ee9722692d47e09cebad9263d3e28a4be531b31ec3a84c543c80aa3eae97cf9dd4ab4aae191ac77433bb78366

C:\Users\Admin\AppData\Local\Temp\ikkE.exe

MD5 6b2a58fda220fed18b256b067b351c69
SHA1 1c3dbc46fecf44a1c9a86b54e8cd835b4ff24c43
SHA256 d087eca0ca12848e370d34480c8956e6685abc6acab722b2aa315976d1bac2f6
SHA512 9433a7964ec1b85235d8bf47a237e478ddbe12860dc2beb7824d1d5ab9bace66ec98cbe739c54c9d42fc3c422dcf8c63cf3ee1c08d07a59395346a5babad5168

C:\Users\Admin\AppData\Local\Temp\uwku.exe

MD5 3a2f827df3dce0362a3c02c121169014
SHA1 d72a4014466c822f229dad4cce4d0f09568f8dae
SHA256 48f8a204e2837bc8af1cbf2924dd5e19611131240c03a920ff9fad0e9fded21a
SHA512 e5c2f81e474cbb24d47cf88cd0a861afaa7a9a4b6f85d8f5de8d8576c533759fdaaf4c55dee8b63a202c6fbdff627143ea31a2fded8188606491876c12fef087

C:\Users\Admin\AppData\Local\Temp\IsQa.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\wMsY.exe

MD5 48b47b22d2a2e42e2c89a5bd13f06d24
SHA1 e4979ff3302b9847600a171fd07cb50f348d086f
SHA256 ac11f8fdc16b2091eee2075fda0b44b855be9c3a24f82e9b4f4b93bf465ed059
SHA512 c4fe76d3d98419842064c20705d6370da7d6f9548d23ae0ee04fb94a9bce25fc13bac08932c78092cece4a2df9f1c8bd76ce69d27bde593c5a04e0ddd933d032

C:\Users\Admin\AppData\Local\Temp\qwsK.exe

MD5 d67c3950f2c081db6d623af599cec3b8
SHA1 c863e5b5d6336328950357d45466d0fa5b81f6e4
SHA256 cdf21460ae4963cb2f8d0e28c5d360aec7e2953506203608392bcf52aa7325c5
SHA512 c603ec9ae9a96e3609aa56286a1bf55e4f16f302e53c11749bd465c5988a0eab4705288ea202f9d9fad640a6eeb2b444404decaeddbd9bf9fa6543cf1fe010b9

C:\Users\Admin\AppData\Local\Temp\kgAk.exe

MD5 77f5d63e138c538a151f38461b9bf4fb
SHA1 fd8928a9aa1297c57705dc0ec3d95d727ab6b82c
SHA256 0cb46a291173bbc7c3f231aab25e09650dabcfb5727365827edfb8eae458e094
SHA512 a7f1e92794d03a8f56a2345afd2a4f806b68ebc77b4b63eb504f358aff15d5dd573ead30655d351e1eef617bdff97e30425c0c36afd18eea08c5863d99a543ea

C:\Users\Admin\AppData\Local\Temp\gIAG.exe

MD5 afe355bd709aa4a0059eefec4598be8a
SHA1 08626b79d597e65c61a7da5713a97f31dd8ea3b6
SHA256 94d85c0009eb7b5c6e301c8b6b53eda860bc27fde64d9918681ec1c84746a823
SHA512 ae19b6d8840c9e9ecedc13284da54c841c85f0a505d66bc474437622e8f0e0b42c01f6ccaf84c55849b254fa547162c8eb033e8511565010a31b85f971b44894

C:\Users\Admin\AppData\Local\Temp\wOUogUMA.bat

MD5 3166ecc014fe956fbdd5cba03e09cdd5
SHA1 166a4880d6197c75c19f740563f421ff8a17c889
SHA256 5baa47ce98fbb813cd008ea17f615ba86cf5e15b2d2b5664f36641001f9d5763
SHA512 7f3ca9f7194cd23bd1aaa732be044aa854bd1bdea2a7f4c9870651c18db3619aca7c0ec3f52ed4bc128180d059f9fa91742e395ec221f375c0d3890553e5b72b

C:\Users\Admin\AppData\Local\Temp\kAIC.exe

MD5 c06fc3b2ef7bdfc75bca9998c742d44f
SHA1 32d028e747edb097c2e3f0d3d127629a99e0a3a6
SHA256 b616e6094c7b863144082cca368466c75158afb3479a7a186de75895441721b6
SHA512 76f98b496033de623909487e6a1c4a0bf1e66fbc79fcc097ce6ebd7169a4d094fbcde56e88a5f98ee264460f440f3ad6f5c5ef2b87d124dbac990b9d4287c7bb

C:\Users\Admin\AppData\Local\Temp\MAku.exe

MD5 190ea70ae7e3f4f3b0394c6eb554e10d
SHA1 0de002b48d877e18814b0859b5476d3df37bc93e
SHA256 6b157a879137a9fd04ba472d6dabe59d3ccae9f992429fd4a90357829bca2104
SHA512 34f1d35a0681e8544c6976490ce50a2edd8485dfb9399580b01b8e53f8b7667a87de2e1182c94e5c8258779c260882be4a3819a542de4a2072217753747c245d

C:\Users\Admin\AppData\Local\Temp\Gocm.exe

MD5 6274885b0a797d7b332456271c7a1463
SHA1 4d9af2ece6d4f71ff8e2b8083268bc433547b73e
SHA256 5ee1b3d87afee33ed4cf366125079d5a5c12c2d3d24c0ce2f832bb60853efaf0
SHA512 4baeed0ef35a576b300f8149067fae96c7df9969d528c24aa78011006c51d0a070330232b82eb10d073f769a23bfad82e783911a9ba7fcfd4fa1b518d4747249

C:\Users\Admin\AppData\Local\Temp\hGIgIwEw.bat

MD5 dfdd8112bab638d0c689ea6cc9322daa
SHA1 9bc69b7a54f84b6817a2af156e0491d585e6e0fc
SHA256 f205957cce50d9b8a68c98f47bfe68439d0dadd10517cee21c1e5c377c6bb6f5
SHA512 1d455a900fd7ea5e72a8c4bc74cba99f33827d1832f994df264ba45d81cae7480a6b1500dff6309099c1811fb509e1815f3698341b108954e2a221ea4693aadd

C:\Users\Admin\AppData\Local\Temp\awow.exe

MD5 aa0621ae0acd2df1612573c00897e893
SHA1 91318a37a4a81ec666db893b2d5b636668c46b0b
SHA256 6aae0e73841fd535e3c65f6c647080fb43a9b2e8b1aaa4d4eab2e1f5c8e1cddd
SHA512 89f41f035aa74b4a98d3ada8b48a4fb527933b56c2f722aae2084bc52146b31c9301ced42bdff39ca6033702730eeaa5912e1b97814312459f83e161535a5da5

C:\Users\Admin\AppData\Local\Temp\qIYc.exe

MD5 ec563d89d552f969f5eaa0b60753b495
SHA1 4ff69f53aab58309ea0e37898148a0a986ad69f3
SHA256 06e130dac6305e54d5002b31ee1a1f38bf45a34425db71ce858b3861fa2f3d62
SHA512 175ee523c2ecbb6d67d3ad68dcb6b9b4d8870d4a5209ded828dd8365e36cd7c0c72902489a763a04a06682665f01b5e644b83feacf5881f29bc79341890840e8

C:\Users\Admin\AppData\Local\Temp\Gsgo.exe

MD5 fedc5f0bff7ab925fa848817ee059ac1
SHA1 544e478a9eb82f54ea71c08f5e3d369dce88b62a
SHA256 38b2d326c304d266213a6c9978d27c6950db86f99ffb3cc797455bbb3d7d3fb2
SHA512 6e9b8a3447d657536556c7b45f1253a505c6cb30b027f0b838e7978e2ee4231790ed7d0a653665efd5fa50dda1d92b071bb907d76c6557ecf2740cecfe651446

C:\Users\Admin\AppData\Local\Temp\pqMEYMIg.bat

MD5 dec7e86b99b4d9cb8d21f7fb2253fb11
SHA1 09cb5178c40ed2d7dde4a8d16f0055792f63b3df
SHA256 5d7be915bddbecd7508142019e56285b84627c691f85bef737d7d7cd05177df0
SHA512 61a8b9784b45174be0f6aded67cfdb51d04fef8ec5ede9904720b6b9f8b8b194abacbe9b6729acb96ab6c6b226328f377bc0afb1498e44478da1a54efb9a482f

C:\Users\Admin\AppData\Local\Temp\ycoc.exe

MD5 d39681f35d3d05796e1686af3a399a47
SHA1 1a0d0a45c7db5a49d4fdd79fd16c685270fb6f8a
SHA256 8123bc3af69747665e30f8425b6bbddeec6ce7b067e288c28d2ba9a96e10ca5b
SHA512 ae3709a0ce17e1a177ce45d6b769cad11a920e98ff899f463f0cd57ec81a7c8e4c9a3c06db0da8cdbc9e5d34e409d69e23998f3a8620879ba5747a1f089fc667

C:\Users\Admin\AppData\Local\Temp\sUIm.exe

MD5 a2e96b5569d5f66cf2faff6b6e0fd76c
SHA1 49c7058f18c1afab23bb731149485224ea8287ee
SHA256 5e3d3ce20417206620bc22afa560c0c52e1019565e3324331ff9647d72c167f2
SHA512 c86f98190841c4c123f14a837f0e47feb05b23dbcbb77c3d996315c7cc015443465a04f129e72ed325bb795a33ccaba56e65f4c31c9f1aec8e208b589112a3c0

C:\Users\Admin\AppData\Local\Temp\eUwG.ico

MD5 9752cb43ff0b699ee9946f7ec38a39fb
SHA1 af48ac2f23f319d86ad391f991bd6936f344f14f
SHA256 402d8268d2aa10c77d31bccb3f2e01a4927dbec9ea62b657dbd01b7b94822636
SHA512 dc5cef3ae375361842c402766aaa2580e178f3faec936469d9fbe67d3533fc7fc03f85ace80c1a90ba15fda2b1b790d61b8e7bbf1319e840594589bf2ed75d92

C:\Users\Admin\AppData\Local\Temp\yYQu.exe

MD5 18d04a0dde34623b2c9ce10101bd615b
SHA1 452265fcf2848a99bfb2601c4aae3bc013db83f9
SHA256 8bcff67054961aea8d18a6813d39b48fbd605a073c09d36c4639df1ae873d031
SHA512 586680b262129050313b866ca3f7bb0c9e66b801513d29284714fca790e2b947753e3dd591b849b345a441e283f61a236e8b5c7062442811e9faee7b32666f53

C:\Users\Admin\AppData\Local\Temp\PGEYogAM.bat

MD5 f71a095529ec1097541d9d666549d5cb
SHA1 ca2aaebb56aa7dfba0409e68e7b4c4075cb6b9dd
SHA256 489159a2ed25c7eabb2286ada8fae2f665d6520982b1dd101dd8aebdb78c6ec4
SHA512 eb1f15a50b79316032b9a5ea237b308b8c4d25b331c461915ea0961d2c744483a3cf5ef4fe66718efc75809804f0238eefed7abbae3c15ade39e966b7e54c737

C:\Users\Admin\AppData\Local\Temp\mQIk.exe

MD5 19215650eaefba09606482be6f519d97
SHA1 3065c5a065b9190a2be8a407682a98d373b90490
SHA256 02584bb39b79eef99ef73f5849f85b6e15a7f48a95fc394a621aa68d991d1d66
SHA512 abcf6ba91e7b586f4c036591269465b64441823a3531c45c2cb5aac491e19519dc8896532b55625924e0778429b7f63f2581cf3f5a0edff8e2ea9957c90d461d

C:\Users\Admin\AppData\Local\Temp\GcUa.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\OQAo.exe

MD5 7a9379e79547101c6b9d87c4bf84474c
SHA1 5ef8a99269f67a1aba7168e09fbecfa935d3a86e
SHA256 2d57243b257706356d34674d30653aa9b04ee2564e9cbac89e75608547bf372d
SHA512 24bd8e57d89606e16435698931938d490a6a689d0a48fe61f54d400ee1c6b62ccc45db31cff8622f3e2e9432791d8dfb789c4c3df076fa8d5121c55158c02009

C:\Users\Admin\AppData\Local\Temp\SAYC.exe

MD5 88cea48f0f6ca992227b4eef1e617af5
SHA1 e3738ab64ec9ecd7405f815b53502c511a0ed7cf
SHA256 18ef7892111818844a5c590fdb98be6467bae6cfb11a5ba0dcea6b2a6600a245
SHA512 9d91fe998d5dec32bd37845ba66702bf562bf22190de0f9f7c17a4870bb6c6d6ebcc49937129339b7d87d26ea2b4e534ae604822a82ae1008c45b5edd618d519

C:\Users\Admin\AppData\Local\Temp\OQcw.exe

MD5 69956351c68840ccfb3cb1a443d48868
SHA1 9511682554516b0d4eb70006978963390db249fe
SHA256 4745b8706e6cb6af186e4c23b08809b61da372e66be4868342acec4f8e1da314
SHA512 17e09ac99fb6cae62baec01392b8a124eb56bb026b4d85718b9c3ca211faf743cb7f9207bd3481f5229b875c514eff4b7a8f0d5b654aa61e3e855c595ca18c23

C:\Users\Admin\AppData\Local\Temp\SkMC.exe

MD5 e5a00e9c566d71820b23f5adcd74214b
SHA1 c7212febb77b6034eae57c929bfb3abb2166e48c
SHA256 ca1e8943fb9ea1355333605aeff713e7d34bbdea259299157b6381a287243c95
SHA512 b2153607b133e417ea7af4a6b1ba0c6dbb96756cb5b5c009796205b4ffd1ff087511449eed2f8ee62dcbb6e9356d403ba643da963bc06de654150b3c65b172b8

C:\Users\Admin\AppData\Local\Temp\WUkA.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\SEIS.exe

MD5 ee8f9cc6f5d94e77eedafc00514a0124
SHA1 db3b28f253dd92fe9584054787ff005c8ba1b00c
SHA256 23601cc62852fa95c9f71ddf70a5d04c66e577657bee71eb39b873c5219136ec
SHA512 1d4a701fd9e09fda1077a9c5349c1cd0750cd164646e243f864c3b3e308b5d21b5a4d7003391d3e66cb888d329ab01466dd3351140d9bc7625aa270d15e47781

C:\Users\Admin\AppData\Local\Temp\huYsIQEU.bat

MD5 0c49ad0b8892d09ccb684e9a0efe2c43
SHA1 32676f8a64b99e86c75f10fc55a0b957271435a7
SHA256 d4d9ff23b6ee822fa95fdaa30faca79d391de6db0befe6d6534aed86cc971bca
SHA512 aae9eff5d4a7285c2a955db8a13fb99ca6da80fe6805438bd40d3250dcc921398cd82fbc0f381cb2071ee779d8a26657676bdabbf95fa9492cafed5c06b37ac7

C:\Users\Admin\AppData\Local\Temp\Scse.exe

MD5 8b5afd9ec45e575abd03bb4bd9918615
SHA1 b203ebd6f00395a1f7120f4746a52f5b62f05c6b
SHA256 c6171f954c751b02d5edbc7281fc47eacf058cf7fcc4a6c898f9fde5e8b46d91
SHA512 09e4d7468e756e169aa5c0f2217e777b51d45651b962e676ba4abd77af8ea72df597fff2c28086eec2d7118a832061daae020848ee302ac73f1129a5f637a24c

C:\Users\Admin\AppData\Local\Temp\EIMC.exe

MD5 f86d32f5c15a77f832a5ead35647222c
SHA1 d1fe174b64084e7960c2e387b6791a1d2d11d7d0
SHA256 811ef704060c2b8f2d97b4291d3d322174d998338912121c8c1d7074843480be
SHA512 8f9fad58a327fb5d925176f82777f7d4b96179977aa868c0a51d7885cf4cb179550152e5275f594748def20f5696612664523d02b3922bd88b77fb58d947e071

C:\Users\Admin\AppData\Local\Temp\pUgIEYkQ.bat

MD5 28be5bb4c342ccfa50e57d3d463794a4
SHA1 81f5ccbb8ad28468869681b683942197ed025319
SHA256 efbf71e86faef64b76572af4fd2d52f2c438ed4953e5b9b3a5defcf1b7811ec7
SHA512 64cc6f828a8689be687b57c8bf6bbe4e3a7c6edd02ea804271f8d67e1ba387465b229e08d786ae5b59f8a6f0bb5c19552c4fd1e9cd0387cd7caac67e845bfe3a

C:\Users\Admin\AppData\Local\Temp\wsYC.exe

MD5 dd7917f113e0f8dea456b606478fee4c
SHA1 548c7303acd235f217264e58d96ce883edd4046a
SHA256 a3fedfd6bd8c34013ce920dc611455761749dcdbd36c456d479be52619a1865d
SHA512 5dcd73c3b437fce72b0256e673a2c6167d60113d6f3e978c3f8087250233c1bea857e44d2f7f207ed72750e0a18a9e57d4b8960786d085bc7b88ebf4d224643d

C:\Users\Admin\AppData\Local\Temp\wwwu.exe

MD5 20ac6601528a79b39c294848de7b3a29
SHA1 608aa3ab992acea9a402ed39af113af1ce855228
SHA256 9f2b54eea407ebeb4996eac59b7f7f563485096fc87ad325b7a1799fee904740
SHA512 84ededa0cee5d14f348ce9d5e68097db9c9542aaf761cb55926e534b6030c247a2ee123ae88269ea4809077eba93178625c8bf677f00f0124b58ebfea79e996e

C:\Users\Admin\AppData\Local\Temp\EscG.exe

MD5 136cfba240d7c133cb31f67e8ac55a51
SHA1 48dc5bc87bd4e660a8630f64b996252203bd83a3
SHA256 d72334605fdd89882e30e8fc27d7ad92af0eb62e02a24f04319dd16698b01e9a
SHA512 2b5849ddb946fc1c7f89851c9604ca724672f9972ffa31c4c506755a92319124d09007a4641564f896beaf131752d57ede8ad02abd9ecb05ae4c488b1599d3eb

C:\Users\Admin\AppData\Local\Temp\CEMq.exe

MD5 3d0b522b87b7a667c3b9fceacdc5df33
SHA1 9320efa6c9147399500af4d358e96fe91aa14561
SHA256 700e2c1acb5f0b45173e0be112e595ad544c40135b346992a33a969e4548d674
SHA512 bbc9a08413ec2b22c54fdd7a0d6a4056fa8b322ce95b7ede4d6917b7c7cec1957bfb1642bf3cdd71b53abea6e3ca32c7b0a3bb3f3184091cc0cea2706a78787c

C:\Users\Admin\AppData\Local\Temp\qCocIMsw.bat

MD5 0ef728acb5b04fdf03fedf7ae81710af
SHA1 6dae4cf2e42d3c1f11b0a6b9e663b6a37c05825f
SHA256 bbdfd88c39716b491c21a7e435b2a6b70cb9e37b25e51009ae0cbe038bb9fcc6
SHA512 701e2ac5b0da4076c0e83f4ef1cc9960795cb1d1a9baad3c2e6848412236b1f96262558d740a040a1ad5e19a1a97da011de9678f7bf4594db9ac85362683d79c

C:\Users\Admin\AppData\Local\Temp\AYMc.exe

MD5 377a2eaa6b7ee72995c8be05fbc84927
SHA1 424f669133bb10828624afa98d9d279e9cb735bb
SHA256 57737439db2f0718a8e0bcc4af0b4395f8fcfd7cd71d348364a54e08a850b509
SHA512 7234a0900a312b2470d97039ad923b1e8d9171fe86ad49a66c3d14fda115f454f9a1d5fffd8a9497129431e2a886e8b4a67763cddbbab2efc7c0575de8924fca

C:\Users\Admin\AppData\Local\Temp\AQoW.exe

MD5 49b013d207cfcbbf2e6017c0ef08853a
SHA1 146eeb5a7d4d8910b97095ea8a63757cf30d7118
SHA256 dd2f419011db50d1405767087334b6e1c7a42bf6241441d576e590247823a8db
SHA512 e9814a1bab1a43af5df6c05d449e9fb483895ee5147a15f5345318cbf6ff5194731e43f5cc42140fde7ca6efd27c3467dc7de0f26115b5fd503fb5ba0075ecc6

C:\Users\Admin\AppData\Local\Temp\sgAQcUIc.bat

MD5 89f7bb8f97cf24597edb09be60bca320
SHA1 5f76bc84fb3fcca1878b520db256e2b0ad31d22a
SHA256 d78bab77dbb5b918e253106a989ac33d981e1d600dc4b9fdd1d1b62845002173
SHA512 f888a8f87b5ee3dc8641b6a62d3a468ceb666c082f7b70dcc9dc7287c4c39f611ee7e5d1b5c78fc1d648ae548370160e04174ff147c8e6c8b1907cc6fd417b76

C:\Users\Admin\AppData\Local\Temp\soYA.exe

MD5 a6e362ee7bc7a8025666421b9f02ed6e
SHA1 580f15c524a9b97a2dcf499329007fbf60e6f8d9
SHA256 b8ef8888ccbc86ee3e64adf639b1a6c0e7cc8dcb989aa42785311306c9b35428
SHA512 2659b0b6665223244363e55e378966f1f1d57eb88251e7aaabe7185167c59a50b2c7c65dd696a252e594072c4ea57d481aedbf3bcedeaece2e2ebab4b91dd586

C:\Users\Admin\AppData\Local\Temp\IkMq.exe

MD5 607a6065913d7f68549b1fbc08b91f22
SHA1 b3e41efa637e838edc4a6e21e0405c572d37ddf6
SHA256 40b8d8c08befe7d4dab28ac2ad297d9151cacf322a916da3ddd66b019f8bdd49
SHA512 cca46a54932a7322c57f1cb352aa868fb4bb8c0cae757c9a2b3d9d7aae362e0fba2ebaf55eebfbb3cdb71571480c4b586f915caa3f273d069d14aa7a39795960

C:\Users\Admin\AppData\Local\Temp\YksU.exe

MD5 b3877338c7978829909839d3e8307b95
SHA1 8d67f4d77a7c703cc44aeb066c8b33fb1484fa3a
SHA256 1c7952996a7025c985240ed92f30185374cdacb65cd3d44cc8eb844b7c65c80d
SHA512 82d85c748c78538a931152c45c55c01cb80c0c7bd744bd485b1d8cee6dbc1374aa38da31c896d16dd7ec740a66426849073acffc30a67c0a92096d6566084ba6

C:\Users\Admin\AppData\Local\Temp\MeooYsUM.bat

MD5 0da2e9be9986a68962710caa21f6206f
SHA1 1f28b621cb74c5427d47f1a59243b6e243c2bca4
SHA256 ffe76e2408a7b5967400d7f5e61e11c30d2cd7a6a7fd441a15c2c0d8dbd73251
SHA512 63fbaf355f08cc69a4b1a1c6452975928e3574d5284782305b7093f0ce9d62bc5a241eb98468e32285f33b34066d0c2c8be24c9737a012943049380da375ebce

C:\Users\Admin\AppData\Local\Temp\QcEq.exe

MD5 ce904ae1784a7cc32b2bd0462c0bca11
SHA1 7d460163713bb89f0dec8ea34ccd823f44f3781e
SHA256 ca12038721fa865596606acff5bac4214141fa47d595933add035de7c6606db1
SHA512 041a4dcd99fa81d6d09620126b2d8dbded8eb2e38f202361def7fd2a3ff5a0771bab21e43635998ca64c3324bfec0bc929ea452cd6b5536060085f61a2e79a96

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 87894c1ba12d21e63eefd561b8169b1d
SHA1 c4352bae9fc1abecb6dfb9961e5e13e3a4a932c5
SHA256 88619c2be117930126d55a017825b27b49d498f1d5ae710d88696c0f886e8411
SHA512 e1e6d631f52702010df4e91dcc307a14567e303c13ddd1b7b264862c229b9a59c6f5fa00d1637899a606e53070bfda862a777bc680f80facb812df89c2cad1b8

C:\Users\Admin\AppData\Local\Temp\SkYg.exe

MD5 d4bb40b7d60dcfd0abd24046a475abae
SHA1 99a1317bd9225e59cc58d56a113d6020c04e5ea6
SHA256 7346aa667c0873e809cb6852b90d34676089f56f01bc029dd2ba6cb22e96b965
SHA512 454adc44f4e412f79b46c86690ed95e3489db71ba7180962fe7129f3dbedbe82dcccef47facff89d302ccfff76b32c0c28d26bdafa36989e5884abc28a2b781c

C:\Users\Admin\AppData\Local\Temp\oOsAQcoI.bat

MD5 bb31346300d56e008b4cd06d75d16eca
SHA1 4dba37eee2d3eec5e2fb9f472e5e0d9703693057
SHA256 fed2d3e6f52cd058c1012c5960c94ceda33e56436636b1065ee6a3d0e892cee9
SHA512 5f94340efe180b9b9b377cdb4f2d286eca93a6b55cb3920cc88681042b02259645f5731d21aabe401bc2ae69bd278a8fd34e87ce673929f1bc507fd67aef6729

C:\Users\Admin\AppData\Local\Temp\UAMS.exe

MD5 77ebebc4eb4d7abfb2f12e465dbd38f8
SHA1 b964ba424cd2a4e378200c0da0fd699fe1a24c7e
SHA256 7dbe017d2b49cbbb887ee80705081de4dab1916fd97877fc10c3312e2cffcb93
SHA512 775e1e510914a6fcf0c9e70244c0a3a41bf08622b1b3da9120b7598a7fad90be74d96eae854d75fb7629842e44daa02c27fdfdba124c570955d4f571cb0c6a41

C:\Users\Admin\AppData\Local\Temp\MgIw.exe

MD5 3b8236060730984a0d5be0f18619095e
SHA1 97cc8821737adc3654dd0e086e13c57d2ca94ee7
SHA256 f1be348550abd00d40d21601b1fceb77dcc51f581505d2082eebda4f5de2a5cf
SHA512 51b1585f3fa5e8554bdc7ee89a7a63bf8cb18f275aeffce66c22abd795ba049d0ee9ffff2b1fc887cd9a6216f1c96bf61334e1be3ad7d9f6f09ea4f2d1aa942d

C:\Users\Admin\AppData\Local\Temp\OAAE.exe

MD5 85d6f8d050146cae563e6387cf49391f
SHA1 3212f80155ffc9fed05ae5a89f8df3f649a40a7e
SHA256 47bf3384950ed92a2a72c02ff100e34be33a2a75852e92e2d3555e320618612e
SHA512 91b0800d0c959b64631fb7510c8b2f0c1aec60bbfac4204cad77e71dd03e7bda738614487f549a924ea16d239385b613d1a94eeafe28a2932ee6142793213064

C:\Users\Admin\AppData\Local\Temp\WMsi.exe

MD5 ed87a9cfbd9527a69bb2c666100f2604
SHA1 8d8ac5692dda0ad27b9a1471cae7ab8ea20d1e16
SHA256 839f09f09cb81c02b1e6b42e7d2f2bbd3668b7a1e57721027d757d4bc6aa32f6
SHA512 8fb9a37ae96069732fb3f34b7fbf7f83f2b2553b18278d0097243b532570a8d360641374a87e062e144225dbaa664479cef02943fe8e2036bbc950646eafa04c

C:\Users\Admin\AppData\Local\Temp\jcEEgsUw.bat

MD5 d2a40a5c4020c1466030fd9ccd91376a
SHA1 4dfcf9facd69494fefc4787ddafb8bb957e4f8e4
SHA256 53330722db51b2c3e1e43da49e9f1b3a819df3721db75ae73b9da15791d6d64e
SHA512 ae4500f47e226ae782bc79449b2f9c5b7a2b7d7f1f6240558494080e2e2498ea6fb1d98d5bad0f9047d10c58894097ccdfafe83a02bf2a3d52d0aab6a4077105

C:\Users\Admin\AppData\Local\Temp\oEMe.exe

MD5 8a8f70c98afc5e2ec12eb69eb449f1c6
SHA1 b17b87de03b63b89c9c113f26f38c6921b542a8d
SHA256 08e9622f6840d6191c0520bfe5e4ebcc17b5a0495c251ed3b96f6573788e8727
SHA512 345ee8c84a831f2b10e4ce989f8a6dd26622d912746cf0d581181f506eef618bd43d2fb69d26fe39e269c7b315ba7d3ce8dbcaf0e59c1102cca9e99110d52a6b

C:\Users\Admin\AppData\Local\Temp\cwMo.exe

MD5 d386464f386dd14e6cb0a4f51ad900b6
SHA1 cf7a1be9877cc6dbfca62960df04c3bd7af6c586
SHA256 dc9a5725a375ce3e247639a197f7c46ff1e707bb12dc7ba1a4131bec4b2a353c
SHA512 dc6356d83cd960acfe3ab6ed78e2cd246aa445d34cfb06876b8c02b33e52140ce18ab0cef2ea830e2a41acf141ce18b84121c16cdbd913a8054ca86ed5339900

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 b87c08b005acbb7edd5ae2605d1a0381
SHA1 46293f59c25b9d69c9322e23aeea212ae703d03e
SHA256 2a982675ffc650d27110a59152609537afa86443434f82b63b53cf1a81403ab1
SHA512 d6c28c180eb4e0a6ccf5f933aea7154603e1f2fd53bdaadd7e9b3d7057c5ebe9d7645d61246d853aa477f2145aa30dc295e90a3cb38e6c3ebbad3f79f5c4e491

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 1310d48adf8dfa3247d027e4b8facd0d
SHA1 cdd776b69e13344bc6dfe07ca09cf6496c81628b
SHA256 9d8d0aa5a56b7e65b11c338717fe4eb4b1c52d8bd542678188cb023426b87118
SHA512 be2c07feb3f110e2a3cb57085858dbc1e448d71fce4d91ae8232d5c23f2f9a6f44c98d9f23a67aebe2f5242ec716eb32f5c87afdaa7bc7de64ede2e9034d94e8

C:\Users\Admin\AppData\Local\Temp\NgcgEkkM.bat

MD5 993d080652410f858777b12d742da562
SHA1 d6232fd5f37fcc0167c69f2bf9e90c740eb71e73
SHA256 8c5fb667dc62193bc236101af01c735eb0c2e5b3ed9d1fa3ae28aab08f524880
SHA512 cad17b46adaab06c12b539268efe86435a9bd4f5b6aa2a740b882905e4b62b5565da01acb9d50006b031b66f4554092979c4f3feef1725c7fffcd3d0f72dd8d6

C:\Users\Admin\AppData\Local\Temp\QoMq.exe

MD5 860a8722a4bd21aa8831e39aebd29fe6
SHA1 d85edf025ac44c430edaae9c8f15639b1c35e09e
SHA256 6d5712e82c259b444da2da15f4a1db3d25023c3d631352687699c007d39027fc
SHA512 9302051b7b1d0a96809629227b90ca572f6b9beed918462a326667153374ab20f7466e73ecd91af086879fc0a6bcc29a55eff2d0ea108589dedaf6759dabb895

C:\Users\Admin\AppData\Local\Temp\kAIG.exe

MD5 6c874c080adca98d0e5a83546d92286d
SHA1 74cb9fb8daa940eba7a42d20bdc50d603b8825c7
SHA256 1e859dc9645123896660e3e6c67e0f96b89d9da5a1f90128d03bc1fc9ca20d27
SHA512 9963d174085145ef64101df2ff281f394f8539fc14db441850ba023fd9112fbd8a2cecd4344b9ef1bc0b8b824493a11fa4f78dc83ee22fc10393a076333af5ff

C:\Users\Admin\AppData\Local\Temp\fegkMQsg.bat

MD5 617e10e36c55557ed0c65db7887b4ca6
SHA1 759cc3925ff362ed0c487d38e3b8b0c493fa362d
SHA256 faf1c7ec0938a90e12710044fdaec7b896f4b88e90dd2675eb8cf9fa773eab35
SHA512 5450e1590c1ba0b40e56e94102fbaa17aecfd81c00b494b9cafbf4cab15c83d9d30dc8d55e000674dae6f59bcac86c7a86d3d02f4fb1844d0b37483803a6cb3e

C:\Users\Admin\AppData\Local\Temp\wcEM.exe

MD5 2852faacbb3e6e3cc81520338601bc20
SHA1 b6489481925ca5ef2047d15faf5a74743c921808
SHA256 67af452f15ecb08b4b4ec585d2bcf54da126948509c296cbf5c8a1d2ce32d2ab
SHA512 5a25d09d858e9d39109b6a443356c223eb6c08d5cb7f9746b51cc7e232ffb33ef90320a662c5d532732ff0ff304645fe1b70571c58e8f54683c57dcfc5c2a148

C:\Users\Admin\AppData\Local\Temp\AYMK.exe

MD5 fb241c97a46247d4c8a356a98d9271e8
SHA1 b615720558e1b23a301241074cc5f39b74dfe7ad
SHA256 05f6d60f171662c8e6cd2fd28efc584d69872f9240908e2d62d2d8fd8f045681
SHA512 ecea9b54d61dcd4eca972db67a5390e0c52eb67796f9e70087a81460d56c9b479ffb27112999e8c2fb696e89f3a42317df150ee846f71f312d27587ee7df9409

C:\Users\Admin\AppData\Local\Temp\wIAs.exe

MD5 b675df6d142e956ac948ad0d948b05ba
SHA1 a3825bb215fe89ac12e8ab915fa71d8a1792ecc6
SHA256 4afa0fc25408395f26aecd54bbbb74c8f0e91ba0a1d7ebff5f7cab3cee74de70
SHA512 522be9d6e762cd986094987bcbb8905b36ae7cb44126e1d0bc2ba72effc2dd5d7acca3f0a1ff8fb4f48fc9376ab314056fa1d6a13cf78ba39bc205e5068b9ae6

C:\Users\Admin\AppData\Local\Temp\QsIY.exe

MD5 455a7c919596f7f91dd4b8ad12c91af0
SHA1 8b0140f9c393f14949362759ff89f30932b8c1fb
SHA256 2940bb2e9d25ab1604eb46e753d5ce242a2e39c9653e88c626db4bb3b1042ada
SHA512 14b757d2ce3a9041132ba42ee3ad11c67b739a7e47cc7a09a8a0ef77386919687f7143a9544ca991e81d4a59f8c7b251811952dc7a4d2dfa4c351e56a84dc6b9

C:\Users\Admin\AppData\Local\Temp\GkUw.exe

MD5 5c64b6e8360576463b37394910d1ab21
SHA1 4a61a7cb9584f76569f2fae1d99cbf627c9374f9
SHA256 0c4966f83bdc75d035f6fc74b65dd5853ab54b81701cfc96291f4ec868bf30ab
SHA512 d658ba35afddc05f4300c5c568e2252994090f790b254276598483dbf64c0227813a7b271bbe351ef6876cb56e32f5993c0a535e67d2db07af7a37372003ba32

C:\Users\Admin\AppData\Local\Temp\sIoM.exe

MD5 5ac8e5e75325ef194984c081f938de17
SHA1 f03f2cf86ac368af615b4192c6dc064a10ea51a6
SHA256 d01fe117d58d9e6263967a935e4cb0d35d786a066bd38428020dbcb35446c84d
SHA512 129ddb65075eba82e440656884b40490818cc70e259612c3abf0078518432f104a8951d0a661286bc5fe3094b3fffadbdbc57a765e18b5dc927390e279400c4c

C:\Users\Admin\AppData\Local\Temp\gkggEcUk.bat

MD5 fa90ba45cc3895dab9caefde23ddfb1c
SHA1 100d91adcae5c8127d5651d1d8033143532e7fe6
SHA256 c9807900321730c80cde80271e35dc0a8c41143beee7f2a525f73b7844a9dee4
SHA512 56c5c8e4ddd5ef7ba3c893c98980134ef30f16a236b575c9cadaac304501a0c64bb08ae3e2314fcefcc28f38e1e7994075b97a343eba40c0c126b75ecb6097e2

C:\Users\Admin\AppData\Local\Temp\eQYO.exe

MD5 b397063681b13afba666df69f11a76f6
SHA1 3e0019e18c754942733b5de42fe420a55daa919e
SHA256 d2344431a78a29e39f494d13174bffa9cac5e2e6ea9ca38da8fd01fd7089ae93
SHA512 2dc4e7f634cfad98fad922a6e31ae06876c24287c7f3f18dd8e2cb633ba957c8a532c82a83c03d5351875a196a0dd62a618e3cc4b4df75a41ea734e5e8837280

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 385758895c2a39e72c4d35620b318546
SHA1 84496defdab04f1743d5a41442e66af30113854d
SHA256 a87ec0e530f4732521151e03b32904275ea8a4c6e63e8d006eeb822a93929d7e
SHA512 31527e16da56c4f70cb09df59b177639a97be9a012372937b3aa73f9981676055fca38e91b7db9e6e1a8cc9ebf082466d5552769cefa110c50584cbc34f5900e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 218db6caba1ea1a6675b0252c7c6680b
SHA1 68d562409e829bba9aa059ff817185fcbd36ee6f
SHA256 c73f7a18908fd9b2787b0c6dfcc2fe30fb0442512d7a151560b55bdba6dd7cc8
SHA512 3a9f829ccd484a6c958ee2984b2e83f2f0ab134e845f3d07175faede1e06bf9f5d03423f3ccd8e0c00c50d491f3c24dc8aea5c1359beb9259e6274c5abe552b4

C:\Users\Admin\AppData\Local\Temp\wcMM.exe

MD5 0b3df80b671fac20ddec242337c7b245
SHA1 832a89cbe95eff3a09d09f9319a9a39c0d8bd1dd
SHA256 17fb6539b9865d9842ad3ee40e30daae61edc5e146903c17781080d7c106230b
SHA512 6b4c1bf2a3a7663d8d5f04e7f07b142115b8a5298fe905f4aa2b4d389f5b5aaf64f48a51b67f1f4f7562b72ce8aa64dda86404f7f82ff13dfda2ad19be2a918b

C:\Users\Admin\AppData\Local\Temp\kCsUAUQs.bat

MD5 732bb9900552d4c699b47c3fe8ee5f5e
SHA1 c8561a2d7434aaaefdff71401442cbfa8861c81b
SHA256 5c11d75557aaa97e51cfabd4f87384c90720fc284a59990e171b994a4cd20301
SHA512 0275404e3a16382b2f06d2e32c9fe55cd0ffb5003e1bb55927a3514ccd12c26de7b62b26b52c39f0f8ba7ca1d61bb125193e1e14e0041bbeaaca4957815ca4a0

C:\Users\Admin\AppData\Local\Temp\WksI.exe

MD5 4b079fcd0f9e0e318ddf8b5472bc5e2f
SHA1 57e85164524987b079d3a312f7371c8f8c8d8cc7
SHA256 3bde93f572f44b9b780867a01d4e21e15baa5e68e52abecde156d89bcfc97d51
SHA512 a1fa130a3102cbef7a36cf726cc66559ff3039587d55dabaa1606e92cf1de24bd0de0af1d14ccd60bca858f6b37f19264d2372c049eeffb2e71648329611cfef

C:\Users\Admin\AppData\Local\Temp\qYIQ.exe

MD5 9d795ae48b8504bfe9c51d59f37b51d0
SHA1 99c3c9c8444964ae189c2df70f1f273cc8cc5925
SHA256 99692c98c548a4925d65488b40b065b9d0192585f6fd88761d4a9ac77f8f14ff
SHA512 7e65aa9a09c0769bd5d40d72861c47f53646c1345db638290130c6c6fe351782752a5558b7d44f69ae31969649fe5b0c73f624a7451f7bbb1f0aeadb2c73f8af

C:\Users\Admin\AppData\Local\Temp\yEsC.exe

MD5 ebcc954d89756f8fbcd24f4dab4a5154
SHA1 5207cef132e18f0a02ad3ca3173f3d7967a3b9c6
SHA256 facf4b2f0c7d0814fb65214ee8c1f8524f72f17df87cc6a57f8f215dacf15af2
SHA512 65fe06a5ac50aa215076c606888b4022d54cf6d2da48c35c00c8e6c5bc2bdd46401dfb94aa2dd9111320109ae92640ba3bd96484477cdf160c8660b5555ebbb0

C:\Users\Admin\AppData\Local\Temp\imcwEEkc.bat

MD5 340d001b9b8d31ad524f031b5868f1ba
SHA1 4771de7a6ac6d32461770588d2c9222d4939c9b2
SHA256 3c0c16d870d20383be4f3aad9b8dbf56ede721d13db45ec0c265dd06017f95a9
SHA512 f17d3b1a18c9f9e5e71aa8513fd52f65e5f98d3a00ab6cdf6ca1c344fbda06744e24bcf4ddb02825f29c201f54846b43b5c0d5cade15af1931954d3ccb7bfe37

C:\Users\Admin\AppData\Local\Temp\aEEk.exe

MD5 0ea259127252df17c44fd2a2925ca231
SHA1 777ad95969c6d3de75b67d7a89451fb597f614b2
SHA256 0c8b19b176568cd3b8bda6445545c72da482a48aa91f0dae20ebf2c9c2eed243
SHA512 3964a69a38ca40e5727d83c5d87c7bcf149c24ad047c7fdc26a4d4cd2790c99b0675bc0f9b6b380fe262f69a2f0b8134a79a9e5624567f257aca7139451fb251

C:\Users\Admin\AppData\Local\Temp\QEYa.exe

MD5 b1fb6bc61ff6e8db58136795725873df
SHA1 593fd8426395a757bd4bc6a10d3b3820eafaf3b3
SHA256 497bbaeb6cb0a67f7152f4e4e3894c6040aeff3c615cc0ed86c73bc3cc61c743
SHA512 65610e90e043855cd83c9b66a7de497ed2c2262a64a0c4f05af73e99c284ce164a8334303f746f6c2e942e0d99389da5a5e9e5d0e0423771edf9c3d92915f5b1

C:\Users\Admin\AppData\Local\Temp\igMk.exe

MD5 58fbdd6552e6115d88d8e662d41f1420
SHA1 d9b1864f87bb16b1302ae7086980840c0c23548e
SHA256 8d2b056e4809382c4e1c287aa2f281b370d25bb8d6dee8f05cb9f11f9be5b994
SHA512 ed1bc29bf4d56e610440c20957eea5d091f5edbb5184f01dd96a04c9998c44185f81447e85b25db9ba3511d82df20d8236973704d6a790316762314e1b45df2b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 565c5532f9b6f4f3f650aa9480a790fb
SHA1 9009588c3d5fac4bcbfed09e715feb185d3d16d7
SHA256 1dc2f49844d788bfcad883205c3ff986794c32f499f492626fbddf480085ab9e
SHA512 521aad87ff85907fb04398f47b19b95b33607bef7999d52910aae7d4b9943416e31f0149653315a50701dd64a63bec76ac50ae3f25563fb278ce53e55f66eace

C:\Users\Admin\AppData\Local\Temp\VIskggEg.bat

MD5 9c4b0add896fc0dc8dcd74a078738c36
SHA1 6f3e98e3f750a4cd2752d2936a6e9a2f8ca3efa2
SHA256 39b9634bbd49f4d5501f10c13a64fffdbe0e2af43a1fc5eea0a36c54992d3cee
SHA512 8439f30d7921053e6d57d315fc155dc687a9ef6f515868aed83c5267ce5309c8fe04bc34544659e41115b53d1f96e8706690ca597e8f9e5b63da522ec1300fc5

C:\Users\Admin\AppData\Local\Temp\WIUk.exe

MD5 192b3d6324d7258e5d9bd68b8a52b322
SHA1 fd187cfbe175745bff26a9d1088c897e60f1b854
SHA256 e0d3bdef73d0469a4f5d1fdfae41e836eac49985c6576fb78a2ff225d866c279
SHA512 9813ce6992aff512aea2ddce4d3caf98d4982eccff1bfad5e2846268e2c2f80c9780d532020e5cee7257eedc38d46c945a483096fb39445959d9705e330e194a

C:\Users\Admin\AppData\Local\Temp\qQIa.exe

MD5 d1a2f2b0ae6355d01f5296f1404592c9
SHA1 cca18dcb0995e4cd03eee2adcf4b9bafc5d95166
SHA256 6985771cac6e3fe7bcd19e00e8c3ba7c72df1aeddba0a2c281ec3ec1be9b5203
SHA512 6a452a107868dcdd57b45b0234e5a700754d23372be9dcbeaafd05888b7db1bf4b64fa6190df00c950de705cc1c23aefaf51a5e1186c7419472f44e78257ad27

C:\Users\Admin\AppData\Local\Temp\hiEosQws.bat

MD5 739b90e11063e636bbc3d15a774ae043
SHA1 6dd963df9734bd9fcbfaee9dc729574b9bc5d934
SHA256 bfd2cabd39c236f3a823bcd35eb4f1316d0f98aa2a603f7655c49fd7c989b7d8
SHA512 1d1613d441b05bc2be02769eac75d593b22a6f608fba08e50aeff584239632739efc12c42d8b1f53deccaad80e0bd9e9aa9a9dbf26fd54510cda61dd80b72778

C:\Users\Admin\AppData\Local\Temp\nIUQIkAs.bat

MD5 a4de6d1f9f0d128b8f2d35a55073332b
SHA1 eb79c40c54397f234010d0460ed5b9051946ebcc
SHA256 a05a9f8eaf71df2296d9d224a3c662bbec95730aff0d597d24f65af74dc74b24
SHA512 ae018e15b8b83800ea50a78cfc798de6767646f7bb66366ffbc68e31e7fa9f46f06d126d1851dcfa9bef9377357dea6c119bfaa91a1df8f1c75d32bd0965035a

C:\Users\Admin\AppData\Local\Temp\AkMC.exe

MD5 ca0ef0ed2d4454b4cafa31b394132b62
SHA1 0a642f744446fc5d0e7583c3cd25a647a4d4e1ad
SHA256 8916bf8e1199bf526b26b1ace06f1933614e57c96a27e3dc956a3475ce131e6a
SHA512 d40c769ab7e034b0ae55e697c4b5b882e5edd2cf28f10de9d974460df14c6ca384ebd1a8c9aade6357c201af485932594b069837fa00bf676262c8d5567d00d2

C:\Users\Admin\AppData\Local\Temp\sAkI.exe

MD5 806e0f1f7c1cb5ae38755ccae2351e04
SHA1 03ca0847878446ea284bfab1e2397a9a3dfe3a29
SHA256 4a742b6a6a4d3face3c723fb9e893a5bc8993f785feb43bb4f1f493c55edf0d5
SHA512 188fdf18486d9994ad40e504457dedf86fe16f56a11d6ac183ac8a7325966e12cf2a6d30a7b39c6313b65a9e037ce6e92789ee9f9260f4df8b441ef67eeb578f

C:\Users\Admin\AppData\Local\Temp\ggIG.exe

MD5 42df73dffba27fa0a042607093163f42
SHA1 7f46df9097eb33be8fe532548222c9c691ef0f06
SHA256 c373533abf2230b5345c87a3da20e8c63557ac6a718819843887ca9325b9f35f
SHA512 b19bfab0d7069bc102b293952993b9c2e1292dfb65e8eb8712d3fe8cabdc53859bc547fa7a9f8a32867e138bb1396061d9ee38091c94b6fa05686e92bbdeaddf

C:\Users\Admin\AppData\Local\Temp\KwkK.exe

MD5 b481f08350ca34207f75c2f6b3269ac8
SHA1 d619d8d04cb41da9bfcd0f2ca6da9fa236d21b51
SHA256 6291db815ed03b57a5e1ade4b08a92322a624c409dd06b1481d0607dc05d44bb
SHA512 2720f51be80c8b89ea4849e81eca6e5116a45dfca130e6044621df10a132bc43f94c7119037f4052ce27cf2d0f5dd7f9638d2d2619ae9118db8d4387df471a4f

C:\Users\Admin\AppData\Local\Temp\HWAMkUkg.bat

MD5 579a6efc4b9f0070cd9f0c8890f22bdb
SHA1 387e1aa760fe70a0ae00032b71441d5342e0e832
SHA256 b2955454f6cbeccc553b5050f956e59ccb419dcf4e37b949c59036e6daa693d8
SHA512 450b5d104968c19b120a980336e95ddb04fd00dca3db918e1723e74e66caa7a2700f347376efaa6e8250cab0762a015cc5a5cbf451962cb38effd60f6968072e

C:\Users\Admin\AppData\Local\Temp\IUYA.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\YsUM.exe

MD5 e8a46509ce7a023a6557d47c7db70ae8
SHA1 e4467a7ed56ab0be21254934c342086ea36778ce
SHA256 444210fdaea819f27ff543761b5db6d6f2b9db43269ee14e08e01fc06c2d153c
SHA512 51c5718e614ceef95d652d6d8e33ef6fc6c6e1d2e15e0576a9194b9dac4a71d8ebf097eeeb6510ffdd56e4c085f43bd20ac5707b18a435ec934ebdd8de5720a9

C:\Users\Admin\AppData\Local\Temp\EgMm.exe

MD5 683b7b2e71568104488ca4aeb6f96da6
SHA1 72322a2c613ad3080fdd5d2896d276840b772964
SHA256 e1f190c39780c76ef0bd930eed39430c6e8513cea2f29461782bf9f36df22662
SHA512 6aaa0b0fe930f1e401337a3d35701cb47a0087dd0ddc628b9e3ca9ca146db2cf480fe06b2849755fd6e5ada76285e3040a7a21b42e89c07a99d12d68a53c8da6

C:\Users\Admin\AppData\Local\Temp\gwQa.exe

MD5 7a5b4b934496aeb8b64b9fc19338de7d
SHA1 45a05bc2430687b4505421a9dca07e93ba6e45ae
SHA256 833066e727ceac6e21d9701b8bddb853adf9ad8c08794798dd27a249185680b4
SHA512 0b114096447fa3d6b2eeaa52cde8a3788452662482f0b96bb87d89a16f598a670828c9ce4c7167da9d5f2bd6d7724b9e62b8941088d99608d1273e5d7e415546

C:\Users\Admin\AppData\Local\Temp\AwEI.exe

MD5 313327c7fded58fa98342aef9db014ee
SHA1 aa27b70f3480815f167c8a1c0b476306b6cbec28
SHA256 465c12c78f0fcb3a73565dac85f69e0eb66f33af774f9b50abbb060405490089
SHA512 415f54aa721648c98a6d5a17078cf90dc62b9105b797a7a03c947b1bf425f6080e0108b1e46234368172a6e06c988d17bba111d8988473345918f9037e9d43f7

C:\Users\Admin\AppData\Local\Temp\yYom.exe

MD5 3d8749f42d6ac507738fde049771756a
SHA1 0852d6a05de3772be9b5be13d7dee1322ae54e33
SHA256 9c895684978f806657634a71d244cddf4f5ec913ba2e5a8d3936020de6c3c58b
SHA512 be3ebce5c002a6d41188c001ff2dc3538d68acb3dedcb1dbad8c9ec4deae7505d13db0a64975d4dc8363a2a6e66fb74f34f11aa86d80adb281532cb829b7dd00

C:\Users\Admin\AppData\Local\Temp\ecMg.exe

MD5 687a59f155410e9b5ddd1db3c245f8ed
SHA1 d7a99c6be061415c12e0a03cb9eeb364c08d3a4c
SHA256 80cf13205e21d360c1660949658ff4ec1cf4469d9a9a549843e93a18f1e7b4c2
SHA512 6912a22446c03141164f4a50c7c068cc4478758071a3a669598cc75ef0e8aaf6aa93dcd04c2c800894871f216f9965306d1c90a7c145afeb1e6068dee89f5917

C:\Users\Admin\AppData\Local\Temp\CcEskAww.bat

MD5 c56fcba34f98f9eb4e22d7d08b01f9a0
SHA1 2bd4a5540848a9e6859544c2bab867d10f71b00b
SHA256 bc838fddacce58f9b79ecba3c997bf24dc53be5a87a2f03db7f5e979cd876357
SHA512 1c8fae2ee3d8fb52930ba93bba1dc4a7bb7ef894bb3502d1cdb38fefb987007b2182ef3d88e66331e12a0d4eee7d1d22733015a4934d6b51e6431e1e7308276e

C:\Users\Admin\AppData\Local\Temp\GUgkkcAc.bat

MD5 997c2686693ec631cd420656164a561e
SHA1 1dd785999c9e879a2bf96b8286951cc37b76a1ce
SHA256 688afd955821681190437a2404f39e130587e383b61c0bd905c942d71ed6eda0
SHA512 49347091be08c2cacd4189eb2c25cefa80425c989bdeeadcb025747d024db88bf70a2a7687c034f34a64e2049b059abbc63e25dc342b74af988ac14f4ec84af2

C:\Users\Admin\AppData\Local\Temp\wKEYkEwk.bat

MD5 848f060153e694ac45afbd8a4061905a
SHA1 48a3682663b9e2d591869c5d4b69870e391571fb
SHA256 c184f20e6aec74a4a21b23a01164ddd89e1a566439fa35da83619a4a1760c067
SHA512 efc03b620dafb7229e0bf8ab2b5d69f20cc45b0a45814b74398ac4583f8ca9586c458b1127908c554b875d2b926721859175a4b0411f11d91637d2c4da14a30d

C:\Users\Admin\AppData\Local\Temp\pokQEcQk.bat

MD5 e74c8a955c9cbbaea2f658ccba60118b
SHA1 46d300ec796bad44c6b0cf28b84d13709a63dc56
SHA256 fac8b81c7d8fd9871e97be7b7501e31477c6d79d9f89fdb133ad71467366fbd5
SHA512 82616a465c330a5b5e25410a8e2199f1d5d6597df5ab49bcb61f2a2c8b9b1330124b95310248ff403ca65761a8a54694482292c3a604648eb16ca6544867387d

C:\Users\Admin\AppData\Local\Temp\HWQIsAcU.bat

MD5 0a35bc19613ce27a6e0f7273b6dcdd5a
SHA1 11dfa603103b5b50d3dcab1d9da55f6fb1615953
SHA256 db4d5d30b39df9c97181c12ede9d1d670f0a315c88d241ef01c850fa99d17827
SHA512 4ed7140b7ea5a2ad1d31c0cbea1e3dcbde91ebf098fe335e6034dad27e8a9b45ac7c13dfeeb4d4c2ad569f9a85b4105eeced2ab20945a89f916bb6c00c6809b0

C:\Users\Admin\AppData\Local\Temp\RskUgQYM.bat

MD5 05d251a6e886687731137ed40bcc8944
SHA1 747c02e3859fdcfe9e6098049e78bde02525f5c2
SHA256 e39d7605eaed0c186b40dacc411e70fce1c05dc3fe1d6768c811fa9bb7ba5899
SHA512 a6ff076801c11bac4b94af7f3b1d4a1618a18a58d6040979e08c4c039f587accd2a0aa21cb28fe1e31e31a68194fe955bbc501cc0157e9dde7fa35eb86169ebc

C:\Users\Admin\AppData\Local\Temp\jIoUMgEA.bat

MD5 dad485e8dd200ff7d10d9189f6b5b74c
SHA1 8fc2b96e1c5c75262bda680a584dff2a00a5d99e
SHA256 bc389edd491d705eb12b65073f136505d0c4571dfc258f0ac26bae67ee5a3c14
SHA512 59635a074604fdffb8605849f4b190bc2832feb1469ee41b8e30aa05b204f25a4e6de1ca2f158280a1a553ecc81de062dbcb14abdc1de6ffebd5c74702bc73d3

C:\Users\Admin\AppData\Local\Temp\SQooosIw.bat

MD5 1ae388e2ff6bb4cc4137152e767fbfce
SHA1 6bc2d68546710d7833851af43d0c9b1d28e91837
SHA256 8f8309dfc1efb040c281ad436fd4707890fc5c03dbbb0b29ced984ae19252d9d
SHA512 ac07bbbcd2b6602bcc02c7ae367a05c9cb51d2a7ee7775f8718d270e81d77bd2bbb921c8537aad11a46030b87495835424a810ef212c986b48663e03c0b036bf

C:\Users\Admin\AppData\Local\Temp\qGAYIksU.bat

MD5 87f04cec5a40bdb37bf0a426e035760f
SHA1 3e58768491214ec37cae9c77e44af2cacdf0e76a
SHA256 3b7c62f4cb45ccbbfb218b8ddef11c23352be7f1cd0a74911d46b43e6c850c8d
SHA512 a20905d4365b4b73cba22f8ae170223a25e48e55b95b4d2185012f02e2a134c8f3ec224387f0510d25d9234051cb1049a9b3e36524d052a4b4a70b01a4f05fe6

C:\Users\Admin\AppData\Local\Temp\OCYEskAo.bat

MD5 2aea19ae4f86ffa80b0e8ee63e5221bb
SHA1 de853b1c92c7e5976b17a5630173af67e1b57935
SHA256 eed5e69f0afa6b9c4209d48ee65da9a0e1c3561d47ff97c84e343fa6cbcf49ac
SHA512 39363beaa5d7c59457641aa84dfb4a6e35d505faee08985fce3e36a5715f70288ef5f9495c69efb97379a89edf43828a91e7eb7156b336bec0acca698627e1c3

C:\Users\Admin\AppData\Local\Temp\YSMYMsQA.bat

MD5 602370aa441e207afe9ac1004bf47836
SHA1 f6f4c98c6792805b95857c9ac51da18cd010cc31
SHA256 20844bc6a80772e3f8e27577ef908a955eb9bf2d48c0ea1e9e0301cd964bfeeb
SHA512 1b3a38478c4134595ddcc5c193eaabe7047cdd0c597290d6208844ebb47f78a493b8e180fd7a5c0a612093c2ef88073ee28660257bd2df03f0efbc6387c9ac33

C:\Users\Admin\AppData\Local\Temp\PqoksssY.bat

MD5 808d4244338e185cf7361dba088ed68c
SHA1 d0c32aa92a7137fdf2b1affd1c087b5c878a44e1
SHA256 2c7eef88333c96196936d12433de17226fb98316ad5b2a97595941458cb03608
SHA512 5af83b696b25de651d312e5a363292ee4eadc5188fe0425447cdd0a69c1f8a19f659bea3e2dcbb3d561edd9dba5d2e2e3e138a3b19b31a65fa75344e0819eb3b

C:\Users\Admin\AppData\Local\Temp\lakccsYk.bat

MD5 ee2823a97c6fd9ce7d1f4c9dafc64203
SHA1 6911ac43155affedf63cf07c62b3098aa8cdc89e
SHA256 57f0edf3980cdeb183a0d5a90f7b376d34464e72d1b22bbedf5d7adb49a95aaf
SHA512 6b7aade9b0fd84a14994b6011b504d1afb3098ba711e736546211b31ac1eb89b7b7c88c617be020efa66d23cec6af1f61901626421d48c1fd079f5d726babc01

C:\Users\Admin\AppData\Local\Temp\LEIsAQwk.bat

MD5 881b42baebfb63194414b6ce0ee4102f
SHA1 89d3e66f96ae38af3d608fce15746df47512417f
SHA256 ff1209875f2f67a197d1328aae0bb8c2f582bdd8aad20978a417f2d4c18fca1d
SHA512 8907c0b8d190bcde1a0da5fca554ec7963c8a3d40d3eab88e2dc4a502f09b89350def736636561c62721dbab6ae97a4ce3dabe62d3a1430a48aae3a875bea8e8

C:\Users\Admin\AppData\Local\Temp\JKgocIAY.bat

MD5 f75775fab93c75b4706b3c84b9503dbf
SHA1 14ee2b7f1f45b33643f3e8aac350b009833dfa4a
SHA256 6825dd4648713dd6f7c14474fc0c99cb4ad3f43a7c9b27e23bae82a9b1b97e5b
SHA512 a7f030a3ff490d54d21f0758e262c73cfd9942f6a96f0d9e6b400b1350cd71c6e72dcc3ac2e33c8cd6f6ea70d9c2cd7d518ddb79e702beb7f53ee191f4b625f2

C:\Users\Admin\AppData\Local\Temp\SaYQwMMg.bat

MD5 795415e346cb024cf726c6ad3d879d78
SHA1 6c435913aba6ab03a02e58b92ab6b52a62e286b2
SHA256 d823a44fdf5a65c4e76379096eff6acb468442d84156b3df1fce120e242b7d3f
SHA512 2bde5751f2511ecf54b4bc680f92a2411320db27656f441eace37e86420d2f3f21fc5fe442d2528aa6dc8e652f369aff15f7f245f6c1a9b640cb440e66436633

C:\Users\Admin\AppData\Local\Temp\YSUgwMAQ.bat

MD5 e777c13f77adb237e0b5ec47f706dd5d
SHA1 3b69cbf9ae2ab8d843d3e7e2579aff80b6d1d778
SHA256 a2d90f960c0dd7db95477a9a8a38c20a805087ccd9d046cea6a3e486f84facff
SHA512 418bab6afd5ae68ff3336af764381a54c9432ab7042aed7a9bcca69c5e426c5ac49e596fa559d55154a957e86fd8db10bce3802bc61095967f70c276f37d34c9

C:\Users\Admin\AppData\Local\Temp\miYQQEww.bat

MD5 a16a7f9d11fc29a1bf38b4e7418f24e4
SHA1 26b7f4ebc1ec195647e5935c07956a1c79e917a6
SHA256 9307117ff9539f20a811f9396a9966be6c4bfb46f97c5c755774edb0fd35f237
SHA512 0cb33dea0df6eb209031503c013dd2dfe237778cfcc12ce22e39d7594dee5cb92304237abc81f1b24249945568800616899fa26efda67c702996f86442b77fc1

C:\Users\Admin\AppData\Local\Temp\uSgYAEkQ.bat

MD5 c3f4576520b1aff2a1b1f1988a48d77b
SHA1 bdb6c3a7490fa6b16253b88c1373058e5b78d728
SHA256 8374f238adf83830bbd5b31538cf9f929209ead34d66b5c4d3a03a04803dcf35
SHA512 a458c5dabcc22a9b9bcdab0ed2f4c3dddaf01fe261908fbe3909f5f474992638080dffe12079c4494e945463e30c63629f8199df3be7e8eac2b26dcbbbfad7fa

C:\Users\Admin\AppData\Local\Temp\mkgMEkww.bat

MD5 549eddfd13b77ace07fafb508dbef8b1
SHA1 1a6194778799731183dffae02cb8f8b2b4e435ca
SHA256 557a1ba3f3cecc09a184a78e775aa06868ce3696f3157da93bb8648048665c75
SHA512 7fe50f073c5006d5fd739bcbda0b0a14514045ca47a812d92fdc5a166de590e048efffc4581723f9361698c037b91ed6d8a24c360e80c97465fe7759b8377aa2

C:\Users\Admin\AppData\Local\Temp\lEIIQYwM.bat

MD5 d4d2a9ab6315fc6880d5d496d9865c25
SHA1 e891b89d58e93267480b17c5b047856425fc350e
SHA256 0d051dd06007b3f34cda9f6e1fd2b48f197fb3b70c52c80ca1719e747ab5eaaf
SHA512 9d9af8a2453b6982dc14c45a259f7b9ac6eeee0e8d629a3f10557746a6e1a172e6962b8a875a929a5864833eef3dfe82825648209374771c78700d6e5cee870d

C:\Users\Admin\AppData\Local\Temp\xugwQsYc.bat

MD5 568882dae253ee258d488f901e2263c9
SHA1 675a2a07c2fce8a7d2df4800a6480dfbbd0067b0
SHA256 55b743c8b2b1e35a25893d86dbf9745bc6bb2091194050a4c9c484f932b6cc98
SHA512 cb4af3e885c0940ea21348b7dbe6a248d355166a9ec7fc2d0afa2516f336911029bc44cd7624044fd9575f929a6b3c55f8da8d862a07ad825262828130265879

C:\Users\Admin\AppData\Local\Temp\rsIoogss.bat

MD5 d5d2e12987f2378e6303e1bb1ed712b7
SHA1 40a567dfabc0d49a9d315ed7ae5b482346387b57
SHA256 88c587a5c1af03c55a87ec668eca08d73c78c88f377a8091fb15c26028910c0e
SHA512 e32ff63bbc931331f52c8a30973abe0ae9c5c37a3f6c6b3e7170735ffe388eb2c374f93be81d30f098778172a33fa0025b3736ac04181b82355d5810fd26c2fb

C:\Users\Admin\AppData\Local\Temp\ZmUsUggQ.bat

MD5 24c8fe195396a0b96891c09fbede470f
SHA1 1b5a57cafcbae70d736bc062e7a6c7f326aef61a
SHA256 69d15e3b8e372c0b91bb7c2f3be3a22a61de55ff4888778ac6eb20fc5990bf3f
SHA512 021287df7ba390b4e6ea38ec824d77373f5d37b4e513ddb7ef1639e2c593d83ac08a1ac7632ab27cb3de107cbb9bdd610f9a8659a65e05b50983fd63ca035a16

C:\Users\Admin\AppData\Local\Temp\oYwAEIks.bat

MD5 65de51a4e321fd1a6f765c3bf3f039ee
SHA1 5cdbcb1c438fb1fc92cf24f59b58ff2d50102cb7
SHA256 839105c1065eb16700c26e7c61298b3d057854de03003a8d79badd6733a9a105
SHA512 21d88ab55beef901e761e00b00f0da8257a20acb9a8e1d3fbb80d763e4c3fe6d891eaad016fdca7f52402d6b7d34dcd9732e884f740ed9bf638b63b005eb1a01

C:\Users\Admin\AppData\Local\Temp\OwUEUUck.bat

MD5 16ff16be5600d4d5004f8fa2fae4f4bb
SHA1 f1416a4ccd0b6c797a7dbb83b182a0158b3556c5
SHA256 9fcb6b5cd64121e29f4650062a9e99d45c226d987943816c2628dc1ec0e1cb93
SHA512 27011149ad44ab28ebb3831eb9d271e42daa4adf1b7fb7d57d19fd779c085885b5c3a794c6eaf6e5bf57bf9b4242307ddd4c43c5ad2f39517ba86ef7c1948a09

C:\Users\Admin\AppData\Local\Temp\kYwMgkcI.bat

MD5 7e147ad58fc49382a6dc5df2cc3cb088
SHA1 4960ef7fe24b3fc48eeef2c78c6f1d5169e4b198
SHA256 1766971ebf8b10e20b430884d605926726ca8cf2f0dc4b75b9e07c6a7a7da503
SHA512 d80784e6e92ace47e1f8abb8ed4ce2d576f98f083fac350154df56b59276de8ec06ab4e8db3661fc87ce01097e4f2c1029af15eada153b8f827bd18802728a87

C:\Users\Admin\AppData\Local\Temp\UQwIsEIc.bat

MD5 64fef9008a43b51803d87bcdb6d48018
SHA1 572592eef1b3bdeda18b61491d9e2d2c7eb85a3c
SHA256 1dd38199adc38d90c6dda72d305b9e170afa91fb970d6ce034b9cb0e4278810f
SHA512 fa9a43af9d3aa0bbd4dca4d00acf151c209e57ae030dd609265b55462ca01e0995f00c290b745d57a0bf8aa5ebdbc7cb0afe40de377682ae06b284bc51965f6d

C:\Users\Admin\AppData\Local\Temp\XaIYswAo.bat

MD5 514d2f6039b6d33b28289ff5941aaed7
SHA1 10cf88ca1720013f008b6a6065390dfcdcc8be92
SHA256 ad98c82c87f81f16d9cb11cd43a2c2b0fbcf3390cdd7bff153940e3812bd8f61
SHA512 97429dcf06499f8d12af888a3abf035da81ab4fbfffcfab96ecfd6f3e697c3f42362c48d9c31082a8b365c2152b3f0edc5eaf81e41ef5b3108403851fe5924dd

C:\Users\Admin\AppData\Local\Temp\tUUYkMYQ.bat

MD5 9cf846f7f208860fb463e34bcaf88d11
SHA1 d3284c29a1636c91b1117a709d2d8ce08f636c25
SHA256 8a5b53da2cbf367576e85991b11b8d7051c0ac78e60d29f60606325f2401d95c
SHA512 41773560b58cc9fa819e3dd6c3571967f50411774fcc87e83fad88bb17a9ffcc64d0bc84d3c0c78d556c7b4350e563b653cfb475688afe33d7cf081e195831e0

C:\Users\Admin\AppData\Local\Temp\BOcggIMU.bat

MD5 d268e08a853327ff6e9474941fa1bb00
SHA1 56be777141d77ab293921522ec1f09b3604e194d
SHA256 c18fd5e6c64b2b6eb19aaa9cff1a3128b38e1d201bd0580fcc1da5b8c97428ff
SHA512 6e973056713ed1cda2a504111721b07e3d2ce98061fe1bd96b766f37cd60e90b38e671ad85a0a4d32a24e4c391867bcbefe058775ce01e746e675925b71e369d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 06:56

Reported

2024-06-01 06:59

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (81) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\ProgramData\visUkggo\xkgAkUgw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MGoEoEAA.exe = "C:\\Users\\Admin\\YMcQcoAA\\MGoEoEAA.exe" C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xkgAkUgw.exe = "C:\\ProgramData\\visUkggo\\xkgAkUgw.exe" C:\ProgramData\visUkggo\xkgAkUgw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MGoEoEAA.exe = "C:\\Users\\Admin\\YMcQcoAA\\MGoEoEAA.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xkgAkUgw.exe = "C:\\ProgramData\\visUkggo\\xkgAkUgw.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A
N/A N/A C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe
PID 1444 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe
PID 1444 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe
PID 1444 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\ProgramData\visUkggo\xkgAkUgw.exe
PID 1444 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\ProgramData\visUkggo\xkgAkUgw.exe
PID 1444 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\ProgramData\visUkggo\xkgAkUgw.exe
PID 1444 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1444 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1444 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1444 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1444 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1444 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1444 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1444 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1444 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1444 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 3548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 2576 wrote to memory of 3548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 2576 wrote to memory of 3548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 4252 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4252 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4252 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3548 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3548 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3548 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3548 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3548 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3548 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3548 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3548 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3548 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3548 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 1388 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 1388 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
PID 2264 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2264 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2264 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3392 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3392 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3392 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3392 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3392 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3392 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3392 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3392 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3392 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3392 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe"

C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe

"C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe"

C:\ProgramData\visUkggo\xkgAkUgw.exe

"C:\ProgramData\visUkggo\xkgAkUgw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIQMwUcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMcYEgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaMkokoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOggcooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/1444-0-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\YMcQcoAA\MGoEoEAA.exe

MD5 feb63942d880d39a051c4bd2425839d9
SHA1 46477f1da428f88e1222720a182dbda9d5432a84
SHA256 c4f33c76406201042babc9c37e7fb19718220cf5ec953d0608b2b38513628c8f
SHA512 7c08f4b17860049a849c9f44d8fad8e81f16af480c130e130ec34f5b4c1756359ec959288397ac41399b2d5eef5139c020cc0e81a227ddfd0ebb2d2f7c14f536

memory/4600-8-0x0000000000400000-0x0000000000431000-memory.dmp

C:\ProgramData\visUkggo\xkgAkUgw.exe

MD5 e304f1ad9e984846782e7ea060b8d0f1
SHA1 95235047084b0287aefd1f70e45dd6055b966a70
SHA256 0989b25e7814df27ee21ee70776e8fb7c328930d9f98285c3c23988ccd9fe954
SHA512 553771ca7c2534291493e551ec809fa293b21aa91aa0bfb89b75565f1c86b3e34529db8eafe476a4bcef4fe3fbb1c9293687312cb03741ac120b5e31ce03d77d

memory/4824-13-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1444-21-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lIQMwUcg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock

MD5 ea4ee2af66c4c57b8a275867e9dc07cd
SHA1 d904976736e6db3c69c304e96172234078242331
SHA256 fa883829ebb8cd2a602f9b21c1f85de24cf47949d520bceb1828b4cd1cb6906c
SHA512 4114105f63e72b54e506d06168b102a9130263576200fb21532140c0e9936149259879ac30a8b78f15ae7cb0b59b043db5154091312da731ac16e67e6314c412

memory/3548-31-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3392-45-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1796-56-0x0000000000400000-0x0000000000476000-memory.dmp

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 e3b60220e7ba9a6593a3dfbe28057f89
SHA1 7e263afe18eeea2a4bbafe26e7da86703fa9197a
SHA256 ecabf1c6e2c1b93de4c9ce2811bec7b59f64b4e6e9f41d55c6b59dc7d68a0c32
SHA512 eefec9cc85eff64ce76a4113e550eafe594e8b3e8880ce5f0a610c92ba176862b95e762bc7e9dcb555e3e76b95608ee1c46fe87f85fd7ca5e09aa12cad6b828a

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 1319f08c326c80eeb2621696fe101b69
SHA1 8cbe01c06901177ec8d0f8a71820af4dccf28e56
SHA256 a14e22391596b840b41edf2ab440ad5935b9a92e15825049d01ad25f98789f50
SHA512 ffa1859b994941bd44a07e734a00e04c5d5b5ee834d16604ae5848b799e106a7b9926e36b436f01ccb0a95a7068f862c22c4beac4c82d2990054dbec38c44110

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 71d3fb78d3ead1fa9a1347d8ecca6b8f
SHA1 448c3e484ab2607261243e0aa3396aae6850277c
SHA256 3fa8c3ae2a687274da4f33b1e516570b1512c9ffa1b5a1292dcc76431fdce2ce
SHA512 5da33f8bb4a0cb069286b7f14a1e4cdb3bd76a602c16b52bd4eca99cba141e9cf484327aea17fc5cc0129c9a8974613d84959e968befeec200b37be97360c7b8

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 3bba4df98ade52f8650cd8be1ebfbc3c
SHA1 d0f6364b1ae27c435ff0ff00b092eaf0e221c0c1
SHA256 514c9e935fd472def21a0e2b735c23983ce8bf76e085dd2602725a899d1ef83b
SHA512 8a004bd21e850eca5a15d4378688085f0e79a5b637011c2fdf94c902941373e5b5ab5e5172d1ce7e99a19f9507cd3311d9fa83e4291a091761e5101f77af2cc2

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 ad8fe9d957122870360eafb4637a5668
SHA1 01fee53d0cf9945231eaa6fd4c69a78745bdc25c
SHA256 8b1ee7a5f1e208708729dca2c2e8569f822138dbe2a5c61a4cc246e047a9dc8f
SHA512 bf001f8c2f0fb1bd4948c09800fa49c9eec8edb7475fb95d7b1a0692f4dfbebffc0467c9825f7af853ef10d2fdac2463dadfc7c55a2884fceeebfddd77d63bd4

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 569e3b81af746f4ba08718bfc6a91716
SHA1 517b2289d76af1b68b89c1ebfafcaf2d715bfd43
SHA256 bf49b52a20298eb021ca514b06006dbc6c2ae45d542a07e4254e170fabcb1c45
SHA512 f8adec022b429f836637164e2452dcad561cdc1e5cce4381f542acbe4a2be0ad145d31d2243b2e50d207fcbc7e797ca43ca4d5e3b5d93ae4d38fbe1dbcec7d19

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 26bc480da3a52c7e9402677f011b7e84
SHA1 64487b58c90f3658a8c16e431e9d53bf05f8133a
SHA256 f5b60715dc555e180b28b18f4a3f6d0b590e0afd3ac10fe7f119f558744d2d0e
SHA512 187c97b91f93aea5f7bb389ca61662891864657948895b42655368ea3d82516df7dffe1bbec2a06e3948bc2cb7f80cfd339e81b487749409f21f7728bf1f5121

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 581b1b781512e98aa7b6407d2312a10f
SHA1 bafece8f861f3543dd375dac73d4852cc70e12b0
SHA256 8bccbdb956785e4323cef9e213333c79e8f4067ba4ddf92c39976997a1631b38
SHA512 abce8004d1e8c7d51698fee99030a95f2f9550299e4b5e70c775111bd4e51fb9e70e24dde560c730212b9399d1edf331918eb26c4caa3cd43765c03398ed303a

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 92a637511683a3f9c7f4a34ceacd293f
SHA1 479bf175210b226cf3fcb0941ad0129be79a71c0
SHA256 6048eef0fe98d181f79235397d08e0d0545590c45483bd58a7ad995524431bc5
SHA512 e60d47c1a36011bc199b4f5ae7826d95d62dec5160c081c2dfccea0b7ac8ae893fdc21f7714bc4ed24c1864830f443336b44db117ec2e069d516c8d939b47b29

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 5dc3b4bdb775879591461ef1a56c20c6
SHA1 bb6436d6cea931b1e33223c31efcb7b5081a4aea
SHA256 33601e8308d67afd02db9461aafeaa214d76259e76303d9ab0475735a054e679
SHA512 0a5f3b4055b67f0d005a5cf4a3ebce6764fd03394eb71da1d58ff947de83e7c8ab866ba43920d8554eb3693517ff3d7ab4a87588bf23c620f8d67c7c3514a3ab

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 08b6e308ee9009a082d6bfeb8fbb9a9b
SHA1 d1b9e65e2c841099e6a87d73d282e9a20a87f5b6
SHA256 c4548c50833ab925b4326be80d3fdea659b723a46bda43df944d80b70a42d077
SHA512 300fe0e9715f060d1bb55966c7f5a22348d33a5e1c8fbee309a26ca0530b6beb40ef83f95e3cc41f1b794e311d52f9f35a4b9765b4d266b68b4ae731293f4a3a

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 4f6f6f0074ac89ba79664ef27720a263
SHA1 0acc2439fe83d9a9248af021be267ff1646fa7c4
SHA256 cd0a1108d641a09c59ecdd7b3d4058b8f51211543ea6ef0952cd02fd736c8edb
SHA512 d5f92b715aeead993d75b8d28137bc498fa40bbc0b0a6d0095e8170e4e8861c3abe7054415bafa9bfb58618fa44c968dff0ea18f522b5cc486885e462cb21543

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 8c2c8f64bafa9391c54a41d146bc59ef
SHA1 ff93240b411bf2cc0be0de62cf29ecd9eb6e9582
SHA256 f475a00e1196d6d6dbed7dd59965e067389c0199412a8daec96cd2b25aca9b93
SHA512 e8d881b6874e4b4231f9054adcf5ca99a78718ec8cef972e9a2bcb75c6faa78b17ea3a3a515921c734a8d264f5b1f0f7a29acd0d33932b8f5c3080922fe79bd6

C:\Users\Admin\AppData\Local\Temp\iggC.exe

MD5 106b6436f7c7bae5842c7f3e7e9bae59
SHA1 c3c0fd7b158c9487eb9de533e5b775de13c52cee
SHA256 8349a99ceb03545aa8a29d0768b291b4e9d7313d52d56636a1950b2e065e920a
SHA512 ec6002e1c100c55b57cce4e4e265b2e39b5cd2e50b465ba537f7bf77591f20e548c8e662a9d6c7723a4406f7bcc516ae900bacc5e57b11ba017184b8fc09629f

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 61e777fb909a0fdedfb906b17aa60e68
SHA1 498b494c08a87c951ab1b06f918f84d44ffe2aa3
SHA256 c2434435e8016c13c70f50ec6bfe08e0c59da5a317119f28bd8419a0f718ad98
SHA512 fe9bff33556b78f30d2571e6da4036bc3bfe14634b31e05014e929d99ecc17a3a5280dc49eb86e33518fe9e0d515399209ec1d9e430aff6d61b18b7a9f047b38

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 cbc7b107cdbedc6e046710f2c558269e
SHA1 6cabe1d3752f88d30a89deca7e63ae0d4e090b94
SHA256 d687dfbf7ad81fd6340cbd8c60bd705c0a797864498d623de13cff49b5df7bb2
SHA512 b2bc00d723ff2aafbb00f6cfb46760aed5edf3e9c8ab4a83da7f37db9b0b54f4f35d31f237960551cd7d3e28d22b090f7cd8e3beea5f89e0b9a53deb54264f2c

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 aee4c40b971addf350f3b9900a6c2539
SHA1 5860cba1734731acb86d40250832ff497aac9e2e
SHA256 066990273e7404c64132dd10adcf9c0c005343b63e7fb12e3256041871f83f22
SHA512 24a48b0b91b7313a718ae9a55c752f86ab0d97244063cf51d2fdc6f8e733ef6ad88876a8e415adc71daf8002425ba59152901aae9161103fcd814a5cd84fb655

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 0ca8e6dc699229da08451fc0b1640c40
SHA1 5493b14692be5c9c8701be3c2e5c8809db6d4596
SHA256 1be64ac28c605b4904c4e12ee72efc44d80347f80f0574503bf7cba5432f88ca
SHA512 7e1957422bcdafaaa21556a0a2cf3b6e17403e373f63c5048187c5dd4c8c58d2b2a4847e6b91755d7d01cd8d1aa87afd4f7bf5ae91d041603364a7f9d31bc933

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 18ce512e09d51d398e55879d32b1c05a
SHA1 88c32444f60b09324131f8282af163ce0aeaaa2d
SHA256 b2d16456f36acc10f0c382b8cf5bf74c6745d25166ea4353124a5930ca37dee2
SHA512 9b46700f157639c759c40371c91068784dcf7cd944ebb7ec6282128f3ff7a1224078777abea15cb06a6bd104f5b4b911c626aa789e4e2467fb26a4dffc397b7c

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 4efbbb37ba8dd0ab2f5dfd351f0ca58c
SHA1 e4c27dc76d1dcc692c49611807c397108e77da69
SHA256 47782e9341bc472959f85c0e297e0bec925b8d3b41809dd2339b87def117f432
SHA512 ba106fea872fb183f19137cf3f8e2c8b973e3a0670e97a26c591bfbf1ff3d5a8fc0b978788065af8e4cc9566841108a56660f332b55440cbcbdbc3710668fa5f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 d466a0cb4598e032df0950df3db57269
SHA1 2f32b7896e94245c995faaf0a4b455052d9ffaef
SHA256 1b67e7f08dc3cd1fdeab8f17f1e84feec7768b2fa52304bf6d7fbaaa2e6e9245
SHA512 1ce72963b2b534ca17f0d0e8939449a70406a9ad23ea2ccd348c62a6db5bf06f8edfec6581022b2baa64a7d69b756e1403d8fd734185531c9b7a4e1961f141c6

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 3e0aaebcdea4f350f87afe8f7b963c3d
SHA1 faec8fe67ca161156fc1507dc69941ad7f2fcd10
SHA256 5e0c913a62c4e7edbe1e5bdda5c4689f97fbd0d50b0796410703bb4bbfb9e16e
SHA512 272a4e2d7ed377f2517622b614eb0ce3c1ba78cec6b383f7096c5b3a32477a4f639d6d71364738e14f645e9597c826a5d8e0f56f10d35c6a638a8ffbfca2b7d0

C:\Users\Admin\AppData\Local\Temp\iQgo.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 0beaafdb0a7e8c3b13de787c32dbe10c
SHA1 4670d1d4d9c300b2aa5274ff1f164446cf1b8921
SHA256 27ed7eb28c8ec6bf610488e104acb7ad5c71330987a70b0c67023b031e08e887
SHA512 edf8b282a5e87f6232c826f570b94fb410f868b043d39b04915f5939fb05e36d5ac508078bc4df6834977fded557f2840af55e746bfb353e269b9812893089f8

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 05db670a9012656ec64de33fadde8941
SHA1 2c5deb660d5e20c0ddd045a271ab364e8794321c
SHA256 a9ac1f1f2ea062bbe19c0353e1701646026b1798f98cb2e249f93ea7cf0741ba
SHA512 4435bff6f4008b9ea8ff61f2b8add16ac83d8c1709c475cb7e0f848b995c4610335d93b312556619243d3332adf7ddd7504f35de09f14b8fa0aa0aa7a1aca5db

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 b7c6f57c4d33804a04064506bbe8966a
SHA1 31180d26ed254fafbe0ab62bc1e503f1a8193f1b
SHA256 5c40ed948dd04552034b79c507824265419dce1ce098fb6d51dbc09e1ba9cf66
SHA512 3ed1365bf6edf321479caa5b8070f780c9a8cf156b0e5abe86fa110b0325f4c8481aec0fdd00a6ab74aa6180edc7897644e186edfa8523360ecf82a0253675b6

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 c9c25539936d9b013e9aaee9bd8e69f2
SHA1 b17dbc7ca90148d940849c6d1bc4225010a6de4d
SHA256 1818da74532d04567a0afd552937a499aa0f9c67ede8b945de2829339bc40b9e
SHA512 033487734c5d3592f02f715624a2d4ea5ab3f918f59a04d7b9303b760ce224659d556e995e61d0e20d562cbe0d73b03fef716b4ae267c394f26bd984c4be3949

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 da3e7e8cd23d98b69a616785f23ffb10
SHA1 1b67ac162150a21016ba1a76e55575ff798e0a9b
SHA256 31c70444b1524a7fd8cff5eb21188af2dacaabd54ec8ff17dee83c19651875c4
SHA512 9238184220aeb834d0cc489ae9e99f54e7c2c57ee119141664d793ac8ab1c1e22a6b6d9316c5866f3f553464a44c1aa0ad8c7b0608c74eb40d17b09ac2228f7b

C:\Users\Admin\AppData\Local\Temp\GwQE.exe

MD5 55aaa93a22949cc2ed8a87c48aa09e09
SHA1 8aaf5245522ac4db3a3104a3714e4273515e4409
SHA256 059bf081abcb157796f23c88a2d3271165abc9ab863a765cbe56d9eca7cb9405
SHA512 fb0d3689249025227129b8b3cfc5b050654e088fae7905c79b9610ac724a3fbae855984122ee65f14b74133cc4eac1cbc422dcb69aad6899857276dcbc4325b9

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 2199f7282afa16434aaac145d48713b7
SHA1 8adf73afa84bd0f07ad3fbd418d48d9c5d4e0339
SHA256 995ac89bbbcbcd13d5f1e3a1a4351e9dd37250fa2e99bda042b8d6f23d51def4
SHA512 487431b8792b91e34c6435910dff9101b29bfac9e97b4e47e72ed2336f1e10e1c1896ed8fd10c6b44f90e57b0ce70aa6f55f4288119fa5657d51f4e3ef517a1a

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 20b3b1b1be04e39c21e0b1320a0d8990
SHA1 d71d9add25cff34d9afb8e282e88b01b379134d6
SHA256 4f264a5c1b5487f4da2d89a51e469bb556716f7a066efc0ed7ebb0330f021ca4
SHA512 0333b32d86a20e169d9b2156226a486917059b9ef8875c576a16ec1b999953882b593affb57bd43e24ac2ef8b8bad42e36d1d4fa1f7a87be0f2109393339e2d2

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 6e2388eef10a1529dfbbd25b8f73a608
SHA1 65288c8513f6671538207a5e66f523754f4e34a6
SHA256 71ffdeb040df5c9a84b53e6aff77754b8fd2029d8866b3e50019a4ac8066ad7a
SHA512 151a21096eb745439a69b8042d72fad8c6e3766fcb15fa869fd62c1821c3d95cf277d85140fa2c8d5f1cc29bbb1ad73289681af61486d96f678b00d0397dc71d

C:\Users\Admin\AppData\Local\Temp\coAS.exe

MD5 3eda48360dffaef96a89c759b53443e3
SHA1 b78e00121ef1158de8f69335c6c9b44a12c19470
SHA256 77e6745ab43383bd8b08fbb7fae24933136025cbe00be5af51fd925959619582
SHA512 440091183d84165cec5eecf80552cc30feda908fc1c5cd006b353ca8c6115370589757c77c2b0af89af48168f88057f1247774205bb6b3d866584e79513b90d9

C:\Users\Admin\AppData\Local\Temp\sAQA.exe

MD5 149d08d93dad841c926f62c67fb1c91f
SHA1 5f0c386d3bad7b700baf71733b66c3c717b2e172
SHA256 742f3f5d822d2b47be43a9a6e4130ef9a556bf17714c23ac73daaad6428a1f49
SHA512 7b71c7bd25e8b8ec5aca4779c44874a494864c911001d4850d04e9d533a5abe1c22d0067cdf0357dec2c362833529188cb76a5fe7bda08ec3b2982a02d86969e

C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe

MD5 e31023cc0cee30a6f1f7bec2b42e8d76
SHA1 562e395a3d47d2ec9071216d857ee8f1afe446e2
SHA256 5417b201ba54f0d8f5e8d7b59f61f28ae5d43a96c0631bfab31b256ed607c4cb
SHA512 6aeb2e20287ddcc5bf4dc8193f801d4b3b457ba25ffe170388e36edc04455ae17d5a9c47b98a23b0e276bab464540ddb2032a6ab43f577d092b9e0e0bc5dc486

C:\Users\Admin\AppData\Local\Temp\kQow.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 6aad575d4cfeb62f824338b9fbc108a9
SHA1 e3b1a31c4c962095177fe8955fbbf688dc256e6b
SHA256 6db43a90e7fa687a749308e2766597eb7f7cf1a4fbdd62640cd623de4819bf14
SHA512 2a675a15de5e344abeea06e3ab0aaa664a80fa3ea7686f74b06b892cd812eca1b7792326d72fb0d0763672157b562bcd3a0747164faf60e583b8ac4ca1b465ad

C:\Users\Admin\AppData\Local\Temp\HkUQ.exe

MD5 58af0550d322658621d960517589b730
SHA1 6754cf9a224f2eaebfc1bc6b9513725ff42ef33e
SHA256 ec7ad265ea2cfd509eb6f8a68c8a5aa97911d9ed827a3e4aadec52b3401e9de9
SHA512 cd73ddb20bb14b3c9529fa2cfc93a3f8a8439ac448ba74f2bf185c65cbcdf1bbb0c73cac323c271e3ae50f88c2e8920b80fa25555e85b25dd332d8a7c20d8814

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 2fa8091800d3b43a79385e8c6a612921
SHA1 e26f4e8c95d4b8e9ee552c3f978be6870cada221
SHA256 20d17380c2de44b50405d84a6986ec8b7709392b95d258f138a71c5b8dbe1e94
SHA512 a188466b112d61acbc7520d1cb211f4d2b20fa6d9aa1774e877b03a2605093b6c1f84aca386ecea93ad8fafb410cebc536e35f238673016a566cebb4078101a2

C:\Users\Admin\AppData\Local\Temp\Yowk.exe

MD5 3af93e64ca6fe20c0db0a770e03c0d74
SHA1 1a1f17896446fe12a5482d7984501592266e04b6
SHA256 80935534d4ac806f111158fbf6ea246931b53fdf19e83d3d08bc32928980f2f3
SHA512 e13d597fa5bb00b77bd19b168e324af604a460fd1cb5fc308e8bcce0cd059a2f03ed8999c13d11ee5c919e9033be26ab7e0a2bbdc503728c7bb438283160e928

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 0f7ed2801e5aa9313464895169deabc5
SHA1 c8eba553ee3e59be4fbe3765c29c2b2b3220695a
SHA256 b4a826f572cdb3665de8a768920ba6944ba89582f0dc0dba7c2b3b14ba0861c7
SHA512 e2638c50a01c58af80fc17d8cc579bf8ba9a794c694d774438ad78da36747d57fe3ec6294d8c784e8eb263614f17dadfc149672d311ff9c693d49fad0dbc4dcb

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 df7427a38e24b9de436e830b393aec1b
SHA1 286cb6c4cfdc42e14d70f923c35d831fb5335492
SHA256 e5c16d287d3873ff0c4affb1a23323ccffc98392eca45f62ac8d81570d1b1368
SHA512 a9db60075513351e10d6f9e8f698974f9e0aa9087edafcec56bd183c9f92ee77d20e341738c579cb72b0f6cd0024037a416fc4374f0f2d9c0b88aa6d466ff227

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 84c2b6e0479a31479966a57b44ae9ec4
SHA1 8067e1f1a4f798f8ca130ec9921254efd1c63896
SHA256 88b7f7cc200e583488f22ce4fc7884d578dcd24666ccb55b938c808f87ade581
SHA512 5ae0546c2d9249114809b9f41ebec60702999d2843768f0cfa1740f6b6da02ad16b533fe86e7d7c984239d3388fc56a2dc93b2172ab1dcfb091b4da54dc26f87

C:\Users\Admin\AppData\Local\Temp\CgUA.exe

MD5 a85e5d66d61bfc40e1dc75c517ec4968
SHA1 cb1bfec68cd225f80f2d0a55be0a592045370d17
SHA256 1785420b3ba39081f4641a670d693fb4054a9399865e8265c3ffbb47559343e0
SHA512 d06443b7d0f8839eda2b32f7f22444c35eaf66303a89c1d4f26272abb6bddc687081f0713794ecc08f40c3c6e2df6ef835e64554b49077b1d399bf54d8e2c643

C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe

MD5 644941f8364c7b353af280478c776765
SHA1 978976446611d6399881699ea9121beadcbea7b5
SHA256 a98f1d25981ec3e22b87e5c6c0ff5ee7dde57cb81016c2515ad4ea3ca759b5b8
SHA512 a8c5b820012dac6f069a2394f3238294784fcff0a2bf2461046a256d32027f08c5b3176e491177031aa1ab6c6fb82f60a7df5b5341dd32a01f9713c8f4810361

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 7b674f8ac5432b1b5180e06cdc1db820
SHA1 a77bb4b4a6c439c3d5d411cc9b95e21f20e3db41
SHA256 a916d3ad00224457c06fe4540a8277ed6b18d516bd6b331fa5831f6be6f2ee72
SHA512 eb018cb7bcbd5e60776d340c66cb7228125157e02d4576adbfd2e2291fe98f306bb22d3092977fe22ab5af1a4683fbec33ba6a1cc559b1cd95cd41aac5e87f6c

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 05ec1870d0ffb0aee668bb527c7ac9f8
SHA1 89493e2b7d093b94a0201c9104261411b68d704a
SHA256 2b54eca3ca0329d0550f32df07bc8657ac551dc2ea77173f07fd0bfc0b82ade4
SHA512 62a7c8a558d3cb00bad4bdd90072260345049c6108760610a53e4c1c9d96679e299ad95c89d7622d60853492a7ebd747d16c0584d6e344eb7709744f82ef4213

C:\ProgramData\visUkggo\xkgAkUgw.inf

MD5 8de5364eca2143600930bb3542a5978d
SHA1 ea084ad92d7625c526df56bd0d934f4d666c98d7
SHA256 0883f5dc8310725d1f37b100d8e60536a304788d7fdcf327b01c430b474abb31
SHA512 dd7cd86e9610c49e8e1b051cbd424b93ecbfafcf756b6b196b1cf86d5a2707099cd3293f3f96c907a728fcafec70da3c9cb7573639da8a34958d78a1ee150da5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 63490e7c36bfa438e14a52df105891b3
SHA1 dc9085e0ebdb4f715bd1e33bbaa28c8ff99dccbf
SHA256 d4beb7819378590bc26520d1b630c86993cdb48f6d11425e61d330f2f3714f98
SHA512 e9cf513f276d1c0df1cdb19d0d13b7909132b5b797d32d3e7b1a639765da79e2e40117fb8e9ec6eaa4194fd4d8ed8f21587ba0af937e81dcd9666ca81265c8fa

C:\Users\Admin\AppData\Local\Temp\ZgIA.exe

MD5 e5661d94b2603665d6410c7e0ef70edd
SHA1 3fddbe3e7ca02656aeebf27d2106779d7b28410e
SHA256 2fc2196f2b8f97e9ec3c39b845cee19cf93709ba94ec1b6cdee261989165cff7
SHA512 f17e22ce8dfa2ad3b78db7eecc94b2e8c5f88fae815315f75e7fa81ddf6b7e0ae31e76075137b58b61adc879d157e09b9f2f2eb9cdbd341ee0554312ac66173b

C:\Users\Admin\AppData\Local\Temp\sIss.exe

MD5 fba6710a10429dd63d9a904f6ef1f3d5
SHA1 7f05b6b58bf0b4140758c9b7111d93365aeba395
SHA256 2524c5de771ec207168f9f3c3b8afdde630c15cd3e8b48190ac9dead3e8acb0b
SHA512 c837bc9f7a86a24b947c8ed261fbab5718f74a5c04525cf9871770492e6e3ce881f6f36b1ce6c73ec7bcd9be378479cbd3c69528261cb789526d1690c2b3c84e

C:\Users\Admin\AppData\Local\Temp\rAoI.exe

MD5 b0c8064e74edeafe001f0c07aa56fa65
SHA1 bdf82425f279257a00545eec7743480de42c6b8e
SHA256 b9a3e3f0c194fe2397c06c0e0761bbdfe6a2efcaa338c9f75206b698d58ab227
SHA512 f855620f01c67e632658be30c7a3a9f577a441e625b2f35b01edcdbfb5c8a8d030bbfac2d006df7a4e3b09e9e7c9511ae6b7ffb0ee9e59c859e10782aa77cc6a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

MD5 8a5b0cc048695633c15cce6c984a20e1
SHA1 ab3da0aeed231a6a04a045f12e594bc8008fe4d4
SHA256 01ba40c4108ea6b3d647b649edd9047171f6459c98d57f0d5cf61aa5b1114660
SHA512 30b708df404c42920bd65b3dc480d16383113347ea6d004925821db7f172ad07f023131c8d1d200ba0af69b73f74958d469af03bee024c86419e60c30336b327

C:\Users\Admin\AppData\Local\Temp\wkgq.exe

MD5 1b07f9caf4c231cbc8cf4c25bb3b657c
SHA1 c37840ffe018550108a87c8e45b4c9e4fe082b30
SHA256 16e1988115fd7dceadcb280e7b745bbbc88bb0bb7921ce5415a06126f6f4f192
SHA512 a10d05ed69ecccc87de6261abd0e37f9cae4c5d8dcbac0dba8996cc49453132199b5671f197f659ed0ca485161bf7225f6a057588a986907d78e7661064ca78d

C:\Users\Admin\AppData\Local\Temp\VEgy.exe

MD5 5eaa2d792e3a951e49562d23019528fa
SHA1 5d6ba95d99cd8450f45c25e2e01a1e34588f76a8
SHA256 d0c505f5a0ede6c0711e9b82c11bed3004e02f7a91f7da558901808161762ba7
SHA512 308460cc7dcb44e5ce1d2489a28a375125d9b7ebcc6d2b848e091d6bbb319f2f03336832e53f144839533c07d31a09087156e87e7626d7b23f8010842de9c1ac

C:\Users\Admin\AppData\Local\Temp\eEsq.exe

MD5 64e2eca23d0619546d065c286aa49e20
SHA1 c3f7d7685a23fe27ecf52932afc9cf2284e39626
SHA256 f1f442850608be3485baa07ea9d889d45e11b1c055c7d326817776ab8ae9bab1
SHA512 d3f76f5fe449b6bf3a4dc2bff605d4970e65251bb99408d3ea5d9b866b7f7d6e0d11230d4e84afb4859dbf4393fd169da1fb3ac9eab099ae78f5d9d14e2f8d38

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

MD5 ce8bf4064bc04b1230fc6d09df8a822d
SHA1 fb7b18333d4e15a9d2743bd3cabfe508f333ecbb
SHA256 a19067cf4327d04325e6d2e8daf401cae818f2dd6347e51e5db33d839e7b3377
SHA512 5c675457499b6f5a1af8d24dad684d2b11fdfeadf88a0ad446c7b5496f3ba4669436692b0e5c39a43bf81ca76faabb28bd2aa0a1b91978338ccda81b287d2ea8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 604b3622b1cd255c38719dcc8b9216d7
SHA1 f9814ed1ccf1a3b7a993a48db9095a49bf1c3cd9
SHA256 0b6536f5c9689e7e5df0891186d805c0ce0ac22e6bedf3754ae7dde0c67c7be6
SHA512 289d7a90bbdcf064a8bd32c9062039c74b5337903be5815992a0f89066e8d612e6c01caf7c8887ec8e24b368e78ef8d6e9bc08c68dfc4f273b65a8fc1089e706

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 0b7064043980c13b7a3d8b122d91afbf
SHA1 e88da15f47c5a1211aa3017ec2a1994159659fbe
SHA256 68b6fcc3e06af5ee2ed6c3975d16c12a08de48c5c732e0b2f9ec33552ba36628
SHA512 dd8b146fa3cfef21ab8a37fc40fb30bb67d1e373e75a672fda223a7692c36dcb2cd9a17d359894df5616b788f9ba00918a33b167f81ae7f6df199ab12e0a234e

C:\Users\Admin\AppData\Local\Temp\RUcs.exe

MD5 a6c4aa244627c97275da5c05d424dbd5
SHA1 4ad20a92509e66072c1315e870ca0f7a72f4e8a8
SHA256 78838e05938bd249eae32e8e0c1e5b1a020774fa4eaf0b2ca1a6041261df33e2
SHA512 5c4e3bafd23b4bc7d4c91b21bb18a5783ce7c4dd575d77e9eb7bf192d8aa5be609f6b0d9443b75c2119f15a0e2b8865ac04cf60d301de371f8182a3163042a10

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 3e708b6d1cc6b2af7e5a7b0048b6155c
SHA1 c146103a330934a141469c83afc028837e012951
SHA256 a1e7b0323e8a14e146c2d34d1a03547579393787330ef35a9098c0a49f6b5adc
SHA512 ddba7618388295e05b39eb3363826b57a9d3e5a163f433adedbaa7475df63ff53a941a14e38cd71071962133fa57e43abdfce4129e1065cdbd67ed576774a1ad

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

MD5 2b24023c443286858a572646904f7a73
SHA1 18f4afe710e8bf914dd8918f19be2bf67a462a93
SHA256 86e28e9eaba2bd401a7fc12ddc3018b59060733574d9b2ed2cc4ecea3727928d
SHA512 a22959a7c2f88626dea43d89e4b7181ea5ffe21a03aa80898aab83b9a59b48203ad315f37a712d29274b6aa7521ce12238c8442231ecea15164eb5b72b0c4955

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 3abeeb46a6f471066d21652c74dabde6
SHA1 4ac6f4ca7191ed8b1da65f5e33127180855d671f
SHA256 34067376cc1a4f9620c61cfc947af873fd0ea53a3c7e7b6207f538732cff8e7e
SHA512 a950d3dddcf2701fed33a79dac0cd1f5c61c491a7b30e942c30ce14d5666977f99ad70d537656beb2c831dd012ba32c87839bf5aa080f8e0dc387e8a67e25fdf

C:\Users\Admin\AppData\Local\Temp\KkUm.exe

MD5 c335567962f7048c55dd0a95df5f43da
SHA1 24de26c3f9a9529babbadcfe1912270e287f2d70
SHA256 f81676db02bfa756e1fd24fa1cf831125ad6fa41ba823aaf501d3d95e807bcd1
SHA512 0d5254beaa0fd242e07322ed4641f9a640b5a06893975eea52bf4dd378d2d7a6de356064f8e3a561ef9eb8379ac51b4617f1506537e5c45634ad025a8180b561

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 77a2485ac15f1d946caf91f7ca4f2632
SHA1 1ec2b5728eaef04837d811b3b184386723438371
SHA256 0a4136d2d8d50f0f6e91a3dd9e551aa9d3b290ccf8fc13590f25374661195082
SHA512 76967cb062dcaa6e47779f0736622837c44400a42ab76a134db5c2cde32703af7da6f5ac828022bfcebb9517f082124b7780f4500f44e1ec2e8ab2af0e4c6e13

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 aa12a5e78c891b37f7c19123b256cfca
SHA1 02c5f40959ba798bb11d6c85f2b872dfde78a2a0
SHA256 978b5274b5ffbf11bc13a03395439dc5f443686c0da90eb1abae15e6f620a229
SHA512 974c36ce299135321a109b6b3fa79247edb8539797528b314faa9be4a7e11c634d744e4f3731fcdfa2b8594e3923f8446aaf56970629ee56444f05e8df420ddb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

MD5 1aeabaf514896afb2cd2ea94b587a7e3
SHA1 f63a3df716238fd08f9676f43bd2048c41e84577
SHA256 36ed73be008550cdc53bea3982b00c6bb105bcf3c625dcfa7175a0e3e802e2e2
SHA512 49d8ea9c7c7422b463d059ef9efe6c8dce0a4cc010bfcca010df2e8acc7ba52b4a597715ec93200332cb1b822a5b3be14cd839a1852241297c3dce32db28c6d8

C:\Users\Admin\AppData\Local\Temp\RksM.exe

MD5 32e88ce5ce6810a2997b5cd831a757e8
SHA1 c928eae3fa1d9ca5769e8faf5b03b69ff108f0ab
SHA256 5ec104e75fb4e2a6ce0f498f80062979be109187f692f3559f8b4a58df92f54d
SHA512 639f6ad3ca15aac75555192f495f998b2c6461ef2d43684b28d2303bccaf71eef2e15ed4b2014582523bbae0f7556826351f8cdd729119029b0491ccf6b8a8dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 4c13f47d59b9f109557f59a0364909e7
SHA1 1356a44c319431e091fdd7c7252a4efd628d4aef
SHA256 5cf603e17ef3127a205923c2308cd6819f924b235a84916e3918ac3a19694eb0
SHA512 869ad9da617908a1cc1b2edf804dc1164a5acb4bee643bf61787daf8db3a75168eed026a39cf84f96ccf232573b9727e13588ecd99662d46c4584a772736614a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

MD5 32d47c8cec557a1a4704c76ddfc9cddb
SHA1 747074874d27b5d18a15606b3d23348924e6d17f
SHA256 c5c88f53af78de878524952c5f80618b1475347623f0705b0939886e6f79bdcf
SHA512 aedd4b7e1f5b73b6443b47ad7bd9186699f87db08f6ad8a1d7901149bb7e57fcae2efc8590aed1c345d7ad7b7409a0c96ba94ac32f9a37523e733d6ecf2a4250

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 3b7719484e0098a320ad84a59bef74a0
SHA1 95c1025d75eb7b3eaf8f5e4fcfd8826e0aa55bbe
SHA256 a265cf860e0efe7306cf9d1fac06fdecc5374c1b68685fbe7a370c8b29a29f3a
SHA512 0aca0fe34f007c5f3f4554f1fdc570c8d2d0238d2ba92b540105471c8b5821f773273ba4cf38fc68ce68ad896e9e3a225fa06264ff4e375d6bd1b95228ec1d3f

C:\Users\Admin\AppData\Local\Temp\FQMw.exe

MD5 4ab6a3271f8a813ffa40c0efbb857936
SHA1 b6a5ab626a1cf4990cac703fd8f9664510c510e5
SHA256 16e35b1adb27a282ab8f4d3aa8a5e5cd69227d737f910afeaccbda7a0f109146
SHA512 aa92430d975253159c8b200a8e945586092abab93d6822ec6aca9ccbf248f69cb4acea8eeb3a1f8f88ee76a6b2c00fa642049cafe937cd3a9e9bd50c56988cb2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 5157c1d4c32d18867444924ede166c3d
SHA1 ced419b561a8e74cfacdfd03233bb313676123e5
SHA256 7f675e9c1f148141fba45279583faf0174af1152a27aa8830e7fcd11d29e5dce
SHA512 0e15fdb27d0b331de57716bfdd8acff107f2fe073b9f9adf9f8cd8b91949600fef4701655135bf79635e0f246ec413e03aecdd6e073c2c39e7c2769bc3348c5c

C:\Users\Admin\AppData\Local\Temp\EMUQ.exe

MD5 eea9bae180e33fd0be834d29ec40d598
SHA1 562e2a2b1026414e66d964b92864521d1b5df281
SHA256 637a04acea371750624c1bcf72ad9df38304dcfd644cf8641b6d716eb5b21b6b
SHA512 fd6f201cfb37f9f80e925b0266eb92a092b5b963cf04013dc274980261ccaaa8fddffe4f2cecffb84a47afadc4a76c3dd2fc24b1eba9afaf365eeba6228ce35b

C:\Users\Admin\AppData\Local\Temp\ZUgk.exe

MD5 d2d60c9574e0cd7d3317f93c45dd9d5e
SHA1 55edba794d0009d70d66681ea6ab664b6586b23e
SHA256 1a5d32aeadb9b6cf749e272b7995dbb3b65e060969e8f14e5e89946d8b559ab6
SHA512 8caa42e7b4f2622dd24e8747cfa0efe53f5a1a312e1d200fdaf80ad74ec3d62dc26a23ff9db157df88973c6df620afeeba513385f15b8bbda37abd66f5ff0841

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\128.png.exe

MD5 d9030407e868934863b81d5ab413cf40
SHA1 d6fbbd24afc6e8bf1f474e543a940306cdcc5dda
SHA256 611bf990d38d31eccfeae8ef50450dcc0893702030e93b2e8a15c09641b703ba
SHA512 68dda15954c164153b25da57d43e040e514612e402d2cee9f0ff2e7b595cb092b21f106db05c0a8a32951826fa9411879f24a7844d1e6288198365a7d8c4853a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 49bec4c833ba184e4ccb52a55db71955
SHA1 2995833b5be0ac3887743dab5400e62efb252632
SHA256 e7f33d819d17c2ae2d0bea3c4009a002cfc33cba9eb7e13c4484cc90d73bb39e
SHA512 e1da631c55d987f7769f85fc3dc74327d7f6e3eb42973b547fd326b2ec22db7af70a378c2f4e7aa26909f2247c3f6538a3a39a2a13eeed50e9cb9471dfb9404e

C:\Users\Admin\AppData\Local\Temp\bssg.exe

MD5 8a9c07ac097ef3324cad3606da9ca196
SHA1 e82d95bed06ef6035a2876f4641aecdbfc668514
SHA256 5ec61f062560e39c8aa2585a13bd658218b9ab5b90f628941aa48a6f0a868f37
SHA512 7c01ffc5c39da37dd9f1e5b70c2547a84bf1be9e80daea74a6c4d136305f6d3d3c0e43a43e6757ce4ecfea65ba387782fd582671399256c95d5c3be64005127f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 f5e6f77587e4625f43dcdef1588fcf35
SHA1 15f41165e3da257b9266f8fc6741d6da23eaa2dd
SHA256 39026f9ff77951bf9367e9319b77bca57c1d8e8b9755f5fcf9c43c2966130f55
SHA512 96d7e342d505dcce85854ff64946923bf2cdaea876d3c664461d6a74675adf0c74c2908fa4cab6f5fb947fda6f3dadc09d4ad6cebbbe130d4bab7a00f8814b71

C:\Users\Admin\AppData\Local\Temp\EsgO.exe

MD5 cbba4e46c8da10be246d2d957f2fd401
SHA1 7fdbcbad90c375091481b4b4d943d0420d248ff6
SHA256 8fde863458451baade5d39d5eac26486085e4e3003db6d8308758e390edae31b
SHA512 3f9dd80ffea8320194e9793297827d8b4072e04cb07872c2ebcede0191638e557d8aa1b0995e40f2a0eed47d7c30889543e212ee9529e31020b12791245912e3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 827bfb2d051eff0c5a03a90355a3ef89
SHA1 09be7de245aa9026f474a4ecb01e755a8a1fd336
SHA256 4955d0331eec8cac4b800fe53d4809ac3b72950dedc255bb26500ddae2b123ff
SHA512 c791af4f87dfca3ae2f512273fa60c7150c0fd5a4316daeb799cc237630116ac137da5be8258b2d7a0fa0364dca5c9171942db3d587202f5dbf45e97c638de48

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 dd121ee0c19e0fa44368ac66569b6621
SHA1 20e38b0fee8472855ff7326bf8b28d99917120b7
SHA256 ef2468ccbf76250993224224a9e1fd91cf3bdc5d536039213eb46906bbe26d53
SHA512 fbe390bb1a53df60219eb540beb82876669a1a824349d135accf9083f1ba06be1b2c18174942da04b09ff0e4902f1b4a8b2e341406ca3cdd048099d0971ac5ce

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 42830389ffeef314d5df1f7f2fc8f5d8
SHA1 d52718edc4797b237feca738d0f4bc889d7075c0
SHA256 b27084e4f36456d66ea3de0ae67041ecd24c860f3e9570498dce222aa4b44886
SHA512 1a62ebefb1f73e9c0f009eaa8db2d456f140d6db0cd7a4155f7d2ea9d40c15fe74108d9d6b2064231f3d12061b0986dd3a427cc71ded985750f90a06fb1a5d23

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 63a8c540022655c7dfb4f7809a880d09
SHA1 dd44294f56f9530a70bf95e7a86541c58f1bb8ce
SHA256 de3a07c1e2b2dd670a5b53e9ff6a1fc60814067e2cafea3304b27cdf69820507
SHA512 ac71907c7c0c5c2616d4a0e444c6af9a4f2a5718b9ff705a509ed17cc6365b3283d23cd6a5139c57ceaf9060e496a9bc8f75f773cdc2d81443cf36529ef48f20

C:\Users\Admin\AppData\Local\Temp\gAck.exe

MD5 9b43205ef38ae6043afd25db0d4b702f
SHA1 bdc0fcd19b65d34d7087106cc4dff519c0b4cda7
SHA256 1bddcf89c240a30c658c7cc9b7339f8b8945b831fe2b610c17e2f0d11b540972
SHA512 31f2863fba150a040b456540db55febd2e1d4b03105140ad036a3dcef14d28cf2f94fb6f83379ff6d49956225490b02c663486599e47f75c06e855024e9a103a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 a34f5c277dc46a1f57a036571b278011
SHA1 a97bdd57d2df3c80e44443fe6c7861951a9cec67
SHA256 28fe5057db671dfd8c67fea6f3ff18aab0695c22594b6f9131f5cadd59b1b491
SHA512 f675fffa9e3b3749662dc0bd2b8ca1880d923b418f2701673d97617e148465f47b7eae5b7f6939516116c95101cd8d403df1a662c37f49508cf719189ec80b2e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 4820334ab847bc2686f1eb89c601853d
SHA1 a4dc5f801af7c4c03343126922da5542f346af37
SHA256 0982c1d51cface51ba9db09de5a3064b0950db1e7d9a9149c7d413b82a758a64
SHA512 ab673685000e268e0a591bbbf69ddbcf5fa4b87b2419655266f7544e62c4068970c67ea763a98e3d8c960c618c8d3706a7f3d2af2ea5354545739fd30c7001f0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 406cdbb37a614df254b9798d84f703c5
SHA1 86846dbde5007687f980e69c8472e056e6c6f2af
SHA256 6da908b7c6be2a68958466d37f9a8110b8221b76b971e46015bc6ab2262a3e1f
SHA512 d2584d41cceec3b663739bd0e6acfa937a07119ea268d2a4bcd9b6ada4bf769d46ba7a42513b4026efabf82a6f60c74dd5fad43b6114141b332d4f34e44b965c

C:\Users\Admin\AppData\Local\Temp\MQIG.exe

MD5 310ddf197ee30e8691fef9a7cd1ae507
SHA1 e6a07cdcd3107c967d3568343789ca38b951c9b3
SHA256 885d2fd1633cc48c69d61ba5cf99ae0646bef8644426546d00e0ee401f2f9403
SHA512 19f85030d4319299f62dbff01187e2cc2b47ae75c1528d407dd7b9755b85dfd983f7eff546c3c68580393021e6aa2e706ab743f4b95fe74f961b947bb1bd81e5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 c3b10471cd3bb8295a505384affae873
SHA1 eaee76b45dad9507e572b54229fbd246a90f22b3
SHA256 d3bfb74001d979c39427b4d9d5ab73a54f8f031259ade7cbe171270dce05d008
SHA512 269b46217eac6d08b8b2a94b18e344fc166a1db68071eb64f264047409c4fd12a8c4677b73344b5b43eac17176e1963e095a2ae015f84feba9565bdc8d4e4888

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 7d01f22324a93a69f3efe29afca12370
SHA1 10d6dee729b53bbfe2477652396d714f1c604552
SHA256 f7b3e90e15c4e48efe6f4119769578711876afcae291667937f18664b2337dcf
SHA512 def79db8885f147122f45ec28e8bfbfd3aa280bc104a3d6b28170370a516d34e5ba3adf326be1f79a39c736c91bdf190b156aa9aa7c7a4df0f95bf093f0a01c9

C:\Users\Admin\AppData\Local\Temp\KEEs.exe

MD5 878dff713e56c251642432bd443566fc
SHA1 d97317c503db9db1ed1014620c0c0be2e3102c2d
SHA256 bd13ecbb550cdd5582ed0cb1a98c4522d37a311ba6d01a8d96f094cfada57cd0
SHA512 d3a489fd592de4af9fdd80f181e15a36a320d620ecf84e58470e8e765f8d362add287b5a87ea4ee0d9f3b45f8e2c4ec3efcbc24646e33dc6b270fdd5066857d6

C:\Users\Admin\AppData\Local\Temp\Gcsa.exe

MD5 b571fd4387850ed6cade94617d9e5f9c
SHA1 56f01822ab65fbaa127a0bc4a8f07e41dbabb6f6
SHA256 5abb58665b0b68795322109b407a761447044aa86f2367ddbf89a0d139f7ea84
SHA512 d4b8fda52b4f9db28f1c00d5c7935f405b39a34f8d0ef77020ad1f88a699efb0b998453f6a9f8b4395a4559ad5b6d4071738802a1acc407c531c142fab876404

C:\Users\Admin\AppData\Local\Temp\ysoQ.exe

MD5 1e865c7fd66e45b32f46fc2d59b3f381
SHA1 28001184d03198d102e995205f5c88076a23e7e7
SHA256 31c936df6f040575ac64d00dd9ea2e2c5a45e5433cb43018956a13cf448780fa
SHA512 0de40ee0f491255b1230a050fab9f03820d7bf192c0f5b0c1f5269c8bb015c5deb6e47ef8821d488456c02d1812a9586ce04a60eada3579e978a254add875402

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 876d015be53d0f927d17627c6212e883
SHA1 5fc443fdc2b7bdd2d8559dbb17e58dee7b57adfe
SHA256 f0326849db5d1ea94308541fc4760a05cf9e1b5be5b32d08c0c47b0c6db73c38
SHA512 a3a0867b69e0552f5b645fb0ec90287ec66f816adae36a11c48c74080f82d2827be490ad20de92c00ab46c25e3e75e30171d8f29aef3f23258b49463abc27354

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 a32f92db3caf1a4699dbb3fd5748ec52
SHA1 e3331f29c4060cbc2302135f45ba16f9600869d8
SHA256 f00edbe8e6bb17649459f9be3e4c094a437460b6416e53a5aa71546eea4528ec
SHA512 28dbbb5ddf94164a1acb7f799ec82de7c19764cdf010df0b5a69a467f0d074a3e2d36bb3f075db974243a7f094e0f0799f0861d61777329403565e4934cf2a90

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 e1604f681d96c86eb2b00a0ce60b8fa8
SHA1 31bb2e6735409f8214b70c464bcb317aacab6e57
SHA256 2db88579d555587f2c8fb6500ed9ede1060a17c8a1ea12d437b2d9c92af94f4f
SHA512 1fcbe99926239708748e21226bcbe38a181f3f04bfc25461c013b1928bfd6658c770e273e7344126db736c7cb2c3497fcc80b7e57da368cb76e9dfaa2c17cbcf

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 0d2362760b94a57aef08b6eff55181eb
SHA1 d029f05027a2a9cae1b4b90fa47741ab27feb868
SHA256 dae905c45f1710ed646448fbf0008bf6063d71963b04bd0b81d4a7c33f007928
SHA512 f051e9f893a8ca5d57777813270a9dbdd06c8cd6471f547de86a34c365f2a18c399b97bb62aa76e4da3ebb86e558a4d9bbca3d6f6fa5c93acb70a39e94dd3dc1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 f48801dbf97b5ad18ae4dfabc087e754
SHA1 715e64788238690f52e121f4a75ab7298d7b38a1
SHA256 6c6a557311d1ab7f742370c663c6e3c05c15aa76a33efcfc2f71270e0ffaa3dc
SHA512 1e3c1025cb378e047d23e610a985c5c3fa0fe1eb32e788c5a6f6310641f51b11b975fbf773062a4e7ea51f49b7b25e6244cb90687c8f3e8599684faa58bf4131

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 5fcf4452410743137d6d5a79e4c50d39
SHA1 fed039d49ef537d20f8cffa9703c090ef1078263
SHA256 26f87fef5dae79ea4634f4c7d9599b607a47310435a8dff55717dbeeac69adee
SHA512 025e9e931b857f2be9038d3a6622c959deece20475cf87e704e472025b5b6399c2120a1903250edd007bf0b0c5d81f27d71f7bec285921d0315597492fe7042f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 e6fd8517088791b27a2811d1d861aa50
SHA1 7a2d920cf71a6439e27e142064d34bb17e89a49f
SHA256 2e135994be0392dfceae4416a4b596799a5e8c2da77b3a1103c02aac51bb5ac7
SHA512 5311e4154fabfb8958f5c759cf217b3120e9140788f567f2da472a2efb2c51ffd475c4839b8116cade5beaee66a9b44746fa5aca7a6539c3f62a06c074bf7fa8

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 0f64922c6e46ad38cf45313b78e768da
SHA1 5100213ffb61fb87938e7e69d77e65ee89bdc871
SHA256 97a93200bc0e07da7996951945a17b703c02d0258342506c785a4cda533b49e1
SHA512 e23ed25ce4c611b9807039092b6d09f665285fb3811d7b6a7063185b399aeee95bf6d4fcafcf10d83612a3642745623d09a6066a8425f6bf0cf43afc202875d2

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 6cd0259291e6c5bd78c8c4856732f0b0
SHA1 f7239af25acfec4561de2e3dc274a9eee58ddaf7
SHA256 738d26ffc85fe9f33ba2acdbb7be434aa165a1414919b2a2206f317f679ff9da
SHA512 6801c965585a93e269ed553bece5a02c4ccb135dcd18cdb5928ce0fd73462001e550de92de5de681fc3c55e73903c6d496654d40b5ff31d5911a585b698cdd5e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 17441471c81209527fffbc1be09ca00a
SHA1 ed1da8cb8847f55cbe930cebab47bb48680c2a46
SHA256 5fc535e7be97c25b882b6d128b540d1d9b884d1777bcf2b5fb3c99665b4e3755
SHA512 7a41ead6749f5773f6b3afeb68b13ac849a1934a617aacccb5535d796feb2b3da9734e8be406e2f1848bbee61d9350f27ff4e7f27d34167eda87557cf26b818c

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 d770554b183f4ceca6e57af164fe49d6
SHA1 cef88a412f0f1748dc4bde2ff05d68b12d016f53
SHA256 b9851fb9b7dc7032580aef1746358c4d5bf1ae462d3040cb99302e97a8e99941
SHA512 9d44b6e5ccc9f1b634701a79ea50ac833b9deeb9b196a2b72a8d66ddae5538296a176d574eb70d4ed092f0ffed66b188fc8a9d7c0a4dcbc5ba7ae4a7effc9344

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 a7446da4dc71c9b6f21008df9018de87
SHA1 f1936116be650cdf2a8b1075791cb8222403ce8b
SHA256 d6cd6ac4df62eacebedbaa0c6a4f696de77ca6e0a17feacf1611b9c95d656e49
SHA512 f29c2782d94f7dcc1ef2e9237baa23dba3bbb2b172f73826699f743279b045f1954b8150b8fa6c9e63cdbb0fe1a34844fe4b7da73094adef25f94dfb431485fe

C:\Users\Admin\AppData\Local\Temp\bQoW.exe

MD5 fb4fbc2ad4c2f1e5c14c59e4be7413a9
SHA1 ecc5f3bee79c9fa914e64cbbe316fca88ff10f1a
SHA256 05ec6562ca654bf6561580512a22a5837ab698e34ed17b51227dbb7c6ab1007a
SHA512 9abbe41e18c466bde40cb9967684cd010b154d77d25dbaaf5e8027a6c49b4a071bead0978b8b63c20ad8ed494a52527447080efd6fb6439f5de951ae908cd553

C:\Users\Admin\AppData\Roaming\CopySelect.jpg.exe

MD5 ebbcbd4f21b4b4a4228fe38c999efedd
SHA1 152614254af7b2432759a14dcdbd8641cb08bd4a
SHA256 00bbccac0967cbf27992d0910ed623bef67c88ab789461c2eea4ff164cdd77e1
SHA512 6fb119ccd71f2c67b879aaab065c05ccd8eb262eba382a1c662218bcbb32d076fcfdb19793d803f6139d0a94f7c32214b9f0523c7e2c2a9f93a805581bb807f0

C:\Users\Admin\AppData\Local\Temp\yYsA.exe

MD5 51ad778dfc739a7fe8fe0cddc7aba901
SHA1 9a2079f493598cc59a1db355e668599672068318
SHA256 ac83f77aa5b551451065daa0121ae8798a5398c1e65cf04813241e377f53c2fa
SHA512 d81e3668057edfeb6c0b8ef346865659c9a77561468631dbcae0b9defa7a01a24e45ce047b609c927b984687d6cc146fd1a9a2d78da50fe2904cd4a6d7dbf42b

C:\Users\Admin\AppData\Local\Temp\tkso.exe

MD5 08914bb37ba18e122dcdeaf0253a7207
SHA1 e0e8058ee981fe3c717cb9dea8f81847d46fe0cd
SHA256 361020f86c2de8c9e4e686dfab08f4d58765818ae2f6fc9591834452fa29fb93
SHA512 eb5dd2ca1b9200bfa81ab18ffdf5f12f51ce9eb42dedf18ddeb56316768e24561789a1879143d489b6a2e097ca26ed5601d9ec8b1abf71d936b6cbdef545e440

C:\Users\Admin\AppData\Roaming\OptimizeDismount.doc.exe

MD5 0af3089156b7b0cd9dd3f92548fa7594
SHA1 3aa2ed3a92cf3aea9e1cf8a139fd2ba5fe41786a
SHA256 fa47caab49ecc927e842e9a353d98666c29b91fadf7185be31ff06e765f623ce
SHA512 ebca5afbbb125e8c5220971e7485064942e0ae48300110b3ec9fb388be352ce16d22ab68b3957749de1c05c507e4135429657ddf86431bb3c7d3b39648694419

C:\Users\Admin\AppData\Local\Temp\EEMm.exe

MD5 9ab1b16fd25af949dcf36423741e2f69
SHA1 b4f4ee7c015dcfeddd37b59fbc4dc91d5c9d8099
SHA256 16b3ebf799d27a92a29b3b2a5e16cd91458b31fccca0c49abc7231ed0e4ebd8d
SHA512 1a43bcb1b7ec7881d774d325e306e4f5c84c106ce95e748b6e6aaaff58722f845ec09ea89a59c3aee23eb2b33682b1aafc94143f3fad43cda2aefcffb93027cb

C:\Users\Admin\AppData\Local\Temp\BcIa.exe

MD5 7518565a8b54d64b134c3ebf99137ae4
SHA1 e71531964a9d4f6cbe892b7f59d7e846f619e222
SHA256 47bf02c14be1f07c2a1c1b7d2cd2936686b14b95a20f0271a659a7d842512f4d
SHA512 42570d79be5e9b04a895e97af71eeb6816096e6515aa2a1e07a06ab43464a290848dc1e90aaca3c1fd84f772f033340a513e50ef43d76b518ea572042df89859

C:\Users\Admin\AppData\Local\Temp\MEQe.exe

MD5 976bd1052fc1aed2abeab3a7301e7b56
SHA1 5fca09a299e6d3c633d06c81eefc795ef08ec62f
SHA256 7a7b4ec5ec2cdccefe43653518b94d3c6b74b30e6a936c1e622f2aaaf8c3c590
SHA512 16274c742562283241449d871acd0a20e09a5c4e57d7b113e09d7c65216659d8f02a08fb2cd91595bfc8595fa853f5679916a0cc7ac3f4c8afff8b5cda42a4ad

C:\Users\Admin\Documents\ConvertToSave.pdf.exe

MD5 886bff39f430e76ebb26fe3b7a8ca0b1
SHA1 6480cb83b940409646d5bf39d1521c92afa17b46
SHA256 f2041e207bd1708c3ed2a927f69ed2373f26b0821778fb63daf4e38ed2d5bf64
SHA512 2ab97addc38deeb8c24271172305266e0f08954ee890832c37ac47fe4a5552177fb73dd2e7c5bc3e466a45cb2eff1da5f8feaeb8c87a6b85ab88efe36aa72f9c

C:\Users\Admin\AppData\Local\Temp\hAwS.exe

MD5 670e288254f2c44d40c6805cd59b3ecf
SHA1 67f801618f9c3bfc9d480684fdd133a818650ce1
SHA256 60c21306a2a1b4f8f269d415a8bfe6614faa775246755139efa5038a3779f77e
SHA512 c4b99481d01821c4a144768188619f045c5867f855058259993b47a5bbda0f7fe259d9cae7be89f52e301c9e96e4c1e77930a0f9e314ffd041ffb212b3d5738c

C:\Users\Admin\AppData\Local\Temp\lgYA.exe

MD5 3d6c63b2868c85c2305deff2c12b073b
SHA1 55b6e9ce7c7ff887a5543686bfb11c212123d2bd
SHA256 8d1b42f4e4615f8eed7f0bbb08de9585381f2fa6a26315e9c44c506c49d2329a
SHA512 57132d9147d71b41588f87582ea867afdabe976eacd52f34edb8af82a0fa6bf8349c750296f6af8999521f4a791ad7cabc80879c301857d3ecfcc02bf4b97629

C:\Users\Admin\AppData\Local\Temp\Dwws.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\iEUk.exe

MD5 cb4d78f4f5b7830e344d396d639cdf92
SHA1 ed753040cacb99f4d55927938b9a7b7090d1165d
SHA256 7d2bd92ae34479afe454d2a3f67f1814aa7049ac010251f53dcefaaec9a979bb
SHA512 d93bc63ede138cb82b6b605d9a48c132678bf987be11034214e44a288c240cc872014d69183a333d15c8e533cc5ac01504f2e58044afc74416d8303c0c631d81

C:\Users\Admin\AppData\Local\Temp\kUYa.exe

MD5 f83e721bfe7b1334edb3769d37729822
SHA1 789f8bf3ef985c0a7456c6aca9999d372bd09517
SHA256 3e2b405dbb738bbe940adbb983ba5f798ea0fbf0e50ceaa796409fa692640a23
SHA512 5a729d46a07df109d5238dc9850088446bbd192d2aa585e5d83a82b4be446e3ff13b360530d989eb9bcd6c565574027b1aa51c192fa8de2208cf0a0c482f2c52

C:\Users\Admin\AppData\Local\Temp\Cwoo.ico

MD5 383646cca62e4fe9e6ab638e6dea9b9e
SHA1 b91b3cbb9bcf486bb7dc28dc89301464659bb95b
SHA256 9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5
SHA512 03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

C:\Users\Admin\AppData\Local\Temp\jsom.exe

MD5 3636684c5948c730ec1a61c888689bc9
SHA1 6e49c8f794f8bb062cc136ad6ed35b5c95c2bab4
SHA256 c7a0097015324f5f6e57eaf7d32b4aac371d93167173f2c17983c883fc2faa83
SHA512 76fe563a98dd07d93f4c99e3aed1e50450aefeca917a17582027f65eed34f8183def4afba79b3878d5539481f57a88bd358fa1c8fadf8310c9e2d8eaf623b33a

C:\Users\Admin\AppData\Local\Temp\jAIc.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\YYQq.exe

MD5 d84ee564487bbfc8be1ce04ddc73937e
SHA1 5b04b4fe97496ebbd7df40759390bed33a4edef3
SHA256 9e2c97bad77f453184662c3a45ab8be668fa53dc8f5e57252c401c6fde450825
SHA512 b2b8e9f88587f4c3880eb4f84cd7c01dd279dcb9bfe46d2f2c0425af3c8ccc64fe3f0f38ef2295ad9ca4d94a0710ac5a8fdffd10ce591a261aed302a76ae5dff

C:\Users\Admin\AppData\Local\Temp\KcQA.exe

MD5 2337c642532f4ac75bef543f08adc9f4
SHA1 fe8815ea7d37f710aed0e5b2a8dc524eb157d54e
SHA256 b2266c5ff9e6013970c309533e510e6dddae5a410ea166d8622dac58f8e047e2
SHA512 1f05e4e2e492434067fc94cad12de5c0957435ede1333f9e98de59e469b405a701896faeb6de3ca4559a46e77ee6c13ae6f85dd26838072f625c07a11006fc37

C:\Users\Admin\AppData\Local\Temp\IkkY.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\xggi.exe

MD5 7feff0170d3cbfa3782ddfb2476de967
SHA1 636df1adecf691eded5b5f920507ec4653f00c43
SHA256 67b357dc0e1c3f7f7b4a6d0db43d3e8cf1df4f0d58def025481747d0977a82fc
SHA512 906c657fac536a5d33b226d2b60aaf9832e0079fad07e6e51350fb98c65a45bc4a79c342f51a747c3150a5e10326619e7742531b4da131106e8bef2d1dda41ac

C:\Users\Admin\AppData\Local\Temp\HoMc.exe

MD5 1da2e093c300beacafe53c4abf905fcf
SHA1 e237a8a9b9adc28593008877ed3baf04652cba47
SHA256 4e9143381561c18c38c3ffb6d3efbff5da1f99f5d172f435d54a8c573787a418
SHA512 ea52df01ef9dfbac89347b78b08691d7ea4cd8ae78e7150dcbbac60df6df46398f65394f95663ff6f2a5eeb5e82a4953471b3d2dd7dd3fad18ba4a0ee0698da7

C:\Users\Admin\AppData\Local\Temp\AsUC.exe

MD5 da473fce734de91bc08ec30820f845a6
SHA1 2d24a71d4dda7dbb2f8c95cf5399484a633496e1
SHA256 b7c091978054abeb99f94938fc9d739023b43168204e3e3408c733d06e301dbd
SHA512 b1a725ff41fa29ca2de4b3c4bc54b6ab04d5e1a99324e82ef03037df5672dc3622d54644aecdd5914b68214861130088c538335eb0cd5dcafe3c961d47854fa6

C:\Users\Admin\AppData\Local\Temp\ncos.exe

MD5 20938c1fb82d32f9aa79e11eb9834cb1
SHA1 f43114096d5e0d6e3720a016db720ac02f99e72f
SHA256 80b7dbba07005ddc29441740bf15daf0a474f756b18cae1055def861317f997f
SHA512 d8813968a1e51e140935a144af2fbda7e6bebd262d86dca4881ad27a1a2537e112e41e353e1c8f6a78688018feac45d4445472f59d841439f252b05fd4187083

C:\Users\Admin\Pictures\ResetStop.bmp.exe

MD5 e7327cf5871dbce3d03c71cd027186f5
SHA1 f2485a4ac8331190c1682983f6cdc9b1d25717c0
SHA256 ef6fe019369b5b9c990b5629e2af3f1a3f8f80feac08d5db0cc03fb6013e3dd4
SHA512 1bbeb20e6400d7642d8478a661ae6f973415df5100a64b0c012afbbea3273c4178307d894e2143b2f6450110b8f09d4a91aaa1189bce9f77b99ca78f8cf838b0

C:\Users\Admin\AppData\Local\Temp\tcoI.exe

MD5 2886d3e9152aaaee547f426899c447d2
SHA1 3380be4c277b516034f49dd364b0f3acc188b24a
SHA256 66e890c00c1521e9255ec0f186285f835b1326d93ead6bca40f85cea42ad80ce
SHA512 9d73f6c1117a58701277aa38f802231ce468b4fb573d5803d3ba05559e79031ac688fc2e6c36d57168d1d4dd650e920f277e0e82b405ab3c8f82ebe3860a148a

C:\Users\Admin\AppData\Local\Temp\MwwW.exe

MD5 d06fcb5beabd9bc88e4f93c5d6652ce0
SHA1 18053f7015c933087e3f854787e75dedb729c484
SHA256 fe2a2b1e5d289b545cdbf64cb423d2e09544dd0e5896d0589edf23169749a811
SHA512 1611f5404663dc822f13d1a824e926aeaa1e86ecddf3669d5019a5a59f8b4113e83afa1eeffee2411ce9fc1910617fa0244c802dc79b547d7539bde12496d182

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 c88a4b03743c07d757642eae9fe9b55c
SHA1 ed93701e9da336fda17675d3d2935092410b3627
SHA256 20486d030021f861bff073a4eab545c258532f1672bc9cc4e051485defaa9e62
SHA512 6567c6552c974386caa8be7329213ba4f3f0661bf55892321e6d34383a7a2408f6fa575a67798e7df623ca1a2b68896ae3ef4c6e33177cf8954e40d6e7cee2c0

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 d8aaee350f688c36db75cb424fd823cd
SHA1 a555c4c56fbdbbd4522d31b13618ef6b2724abbf
SHA256 73c24bcc00f3fe1f6705d26e11ff0711f20bba2b1a5f617ea1fc8c685655b5f3
SHA512 b555b0f12175bf10a5611e07f8d36af27289fe474f621e69a5cd42749f39637dbc2f1201022097d663923e87730b94b7713c80c34f8f77e7371e67445fb18a56

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 c10cd12772cc844609ebd7499174acc4
SHA1 18ee5ad0b056f23480f87c19027a2cfd29cb9310
SHA256 7ed4d3ca6298ed8ec0af07dcfcd506a42409583365a4d770cac060d9fecf2003
SHA512 a2f54fffbf7f2340bef9477e65d3417c18cc02d68e0e41b09c9eb067c38283bd231291d274b2f240555ef8649162ee390bec8a80feb7481104618723e824c7db

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 07a1ea436cdb33adac6dff1442790773
SHA1 b56128b3886ab416f93a6834acba362d2ab9edd8
SHA256 73d1d610842c122faab5a91a9d849d415b7e66e3f508e52205d31b118e137814
SHA512 8b172785e0a5601ca2064a19843125f4da099ef23706cbdb54ad2840d64426b965e116747d95d074c4807a3f3efc760e0ef8b297486c4fbff783dfcb65d2e323

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 c7ca783c7ae937bd879da3fb90b95b31
SHA1 80adec513d59924f5689032af793da24baf71619
SHA256 3ce2f971a8c7a30dbf1ea70c1916933dc48406695e77a5c2d19cd730cfc0a6b2
SHA512 46d849733d2e34bcd0645098d084c2152804b52c626d0c3d46deedc5eb69c4ccb1958852d871662277342cd91396fa54c23944e676d3a0f5075fca104880bd72