Analysis Overview
SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
Threat Level: Known bad
The file ViraLock.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:33
Reported
2024-04-06 21:36
Platform
win7-20240221-en
Max time kernel
26s
Max time network
123s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe | N/A |
| N/A | N/A | C:\ProgramData\GkEwEMwg\LeUkcQss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViraLock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViraLock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViraLock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViraLock.exe | N/A |
| N/A | N/A | C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LeUkcQss.exe = "C:\\ProgramData\\GkEwEMwg\\LeUkcQss.exe" | C:\Users\Admin\AppData\Local\Temp\ViraLock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUcIIAcg.exe = "C:\\Users\\Admin\\fIwEgMMk\\TUcIIAcg.exe" | C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LeUkcQss.exe = "C:\\ProgramData\\GkEwEMwg\\LeUkcQss.exe" | C:\ProgramData\GkEwEMwg\LeUkcQss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUcIIAcg.exe = "C:\\Users\\Admin\\fIwEgMMk\\TUcIIAcg.exe" | C:\Users\Admin\AppData\Local\Temp\ViraLock.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
"C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"
C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe
"C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe"
C:\ProgramData\GkEwEMwg\LeUkcQss.exe
"C:\ProgramData\GkEwEMwg\LeUkcQss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwQwkcgs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fmgcwkoU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWUQwIsI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KGsUgYEc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VAskIgsU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NewkUgIc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fuEcYMEY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmQsIcgg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HoUEMsgM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LakIsUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OGoYYEMw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSockgIE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-492296468-520157240855047027-9227414-9851140481754915406-988628821-2026470237"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JmQQgocY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGMgUIoM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAoAUoUI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5156173961738984691594139561874395555-10992268924711553277771926311768202548"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUIUMoME.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1569121346651224441582234913-1685112369114609692153656802116765284512024842599"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qkEcIEQc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKokIUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOMMAwgM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rQokwcIw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LakUIoUg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1588369253-1345912685-1263044714319967532461027843458907734-1761838816379503419"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEYcQcAM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uyEoccMo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-539196148-2068934598-275619770-9427944301890760210-2104039239-729836679568651938"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-35423765911762779531529698428-5354485024407253468839695041945839030461420286"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZSkMUoMk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1459595686461350563-20074672694264215751526276-1342882392647525357515104381"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "148494731-1904350824-1760066680-92072367-304321142727257513-12437389991426898116"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WQwEwkkg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOIIogQc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGMcEcIk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOMEkkUs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "357666901-13189651017235824521431702618-132272699877408641958970911373530446"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BwwsQMkA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "104409430113797935571918285751-924637500-513078953134750908518193472818224580"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "113092886216609393072060759490-20030415113507844636344679271921826738772587917"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\piEYoMgk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pmooQEsw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-302133564-13093713181370759871-1475601206-1271269600205599963416180528871821856711"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OGcQkAsE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-55931130399752351-9954756601159350077178652437386806220212455701371641816930"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-975832392-1687381219-1593554661-150495926818641769331561091060-1872366850-1997677169"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIEMogYY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IccUAEsE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqIcwgww.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEsQkIQU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoAUIUUk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwAcMoso.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1049367637934743883-1341291457-615020262-2126316132-422872657469794042313482419"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGkAcgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\veIAwIIE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13565118306579515791678004867659579701-6856050751921308590-1446063408-841078952"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ekUIcssQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-829715464-94592849-37618997967090022-17130670691445591820-698085081766293379"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQssAMIw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20352956181083462144-1955851210-965323021-1953037483-3221042302043033248-1694265174"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMYcUcQA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyoMIoQA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1522477788821905815911575401858782078-896430992-1049408769-1995741950-72998539"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-369933239798673765-16380743332040155026-1647856486-1295913071-4220278412006613035"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGgkoYQY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1623136-122393077920050321632325859171407090259-17665466901901722039419285977"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tMIgkcsg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6727339811250022178963989533-9692183461503009746765536154-1308171807-2122303865"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sakEoUsU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9270136371956275951901776757412409109-8249800295973034929223470601727939326"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jeoUccQc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5557034291732236968-943680633-672111328-142572492215088200686575154787140139"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1514784377-87516639-4056001131684224129869600825549579704518179503-2082108206"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-274500413476930237-708457052-317440549-687158992249272568-445100581302525687"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DeMAcsUg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-422290690-1035401810288322776517810099078653415307464671559366800-140064372"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LukcgIsw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-993275417-18198544181331912154-1879859378-21094067691692985937-1851705353527827188"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\luscoUkg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-246947578-2055993374-813142502-1166165392-3273865072063807082-220229392-158232199"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1326078625-1924054381-84789583012296863351732205932858993821307932728379435719"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcsYoscw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1527379011-14834073215951770472536235811181156298508757956-1979125409-730816490"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1116643807-2098448762124474638-10861909059922068831537014381-5697422832099120362"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAAoYMoc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-228579130703726371-896631381-575098111257082176-298307780-2089595510-2021263701"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1115138641187840561-1451289638-891935937-8081861451849741634-19006453451164532781"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qoIwkkwg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1795538549-1805383592-950265324187644671543668227-251681875491763116230134653"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hOQcAYYc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAcQwMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMYUYcMU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "68824551339928706212480369671891387562130262144719377369111101354103853074034"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1383099955-1079632738347639194-1533690205192224112104096475118932868-1537126324"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1067526948-1951093793-453857408-2573610306143916301287833019463674430-701707570"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSUccUsk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11825852146970559821511362478604795258683356431564264615642168578142704036"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-450903652384060144-7002736151322191292-1149542934-12397267711140513918610410508"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGcoEkkE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IeQYUcYI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11970952821899184641-158340678588361701288368191616793586562505633121060056811"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pGcQgEMo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15314090941856660404-1638695466-1186688342206575514518886862651983625783988912378"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9510548931986138450-220136990-11006868062082981662118177356-774048739693350136"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYEMwsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "877701115-1067866782139868438-1104147970-551739674194342466-17190765501677021939"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1197013444-11401431912012806525-19953669151745667982-1842787464-84070094361262070"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1475252888-580059523-12214379512109458145-679766654-529581739-171777553293555194"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ikMcgkYU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcQgEEIk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmskIcQg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OigggUMI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwgMMowI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1351769391433364104-1405094002-720679705576329997486504687-17093540751872811035"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9399480561599439779-311444952832070421950307711-183483257-812075415160553581"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qSckEosg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20017941711165262937500216561-1533284649706089795-1795517044-5218907072118124916"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgIAAYoA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1685277539679078298-214282247178987073214679660386397470059104178342126366810"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YsAogcMI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-499361617-6147164441674081357-559725841-238350525-94232058114347559451217657871"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nEkEIMAs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWgAEocg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17297664937484569661937646591972774402-1478639568383840694175830563-577514957"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21306911061187217709-167187882-85395002663025249918197853371053692860-1268858285"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCIsYogY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nygIccEk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18681617357171220528742803821260732276566209189-457446051363084601-1351119872"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JKQIUksE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CykIsowM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4422805321197445541987095830-1012142690-11001095361910720514-265099396-158537901"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11233284761851348472111485576918886584911766235520-190692243-10417244811933043622"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQswgAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaAIcYME.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkskQMIg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgskIQAM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "36192978497590759419823697192098970195-18776277101393765272-976766949131803037"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2822885171396303114954765824-11464691251821277234-276929829-510000586566865839"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMIMscsQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIwcgYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCAMUwMw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEAcwkAg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2041616396-1850818098-1401843934-137817090742137620-1547188281182519313-1710372856"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XwwkYsIM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nsosoIgU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCkMAYgc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1361702732-566012031-23517662-61954042686339561-1994034593-1751546159-1134885549"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYkIgIMg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qsoccoMs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-334092717-2054284460-10279898546216259432024185753-205892739-1065562031-1690485499"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1457774140-13389679281011716170-5912266511282478754-9908561011988951801786223022"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCAUMUIw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1126417798624040949161717802015954237-141678519017075470761725647290134940980"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUgIMgcw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYEkQMMM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TygAkUsA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1465199849536607354781214019-132813348313493625031124619341714578651-310629388"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17985031931549229717-214084564287104263315355944491857731811957345752-1150299370"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| DE | 142.250.186.46:80 | google.com | tcp |
| DE | 142.250.186.46:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2060-0-0x0000000000400000-0x0000000000432000-memory.dmp
\Users\Admin\fIwEgMMk\TUcIIAcg.exe
| MD5 | 9e255c28b665e2f662e1a76333ed15b7 |
| SHA1 | f5bcfb2e6b6bb9d20efff7e6f8d76ad76f621356 |
| SHA256 | 5aaa8c774a9d0157e959cdab4b0e6eb9b03f52ec62adb240eeb3c51bc177363f |
| SHA512 | 430fd62c43ffa09a47588150781d94e81f100038310bcf95ce14d729e4aa3491167ac5094883fba39af181d18c5978cef7b786b563345815cc66a436356cad3c |
memory/2060-12-0x0000000000460000-0x000000000048F000-memory.dmp
C:\ProgramData\GkEwEMwg\LeUkcQss.exe
| MD5 | 3909857876215af3aa72daa540badeff |
| SHA1 | 65a574f43873be4bcf67d65aeb3d1fa8effd0bf2 |
| SHA256 | e65a4b72c3b7c2b8396c93359a247af5c673aa3527dbb19c60ee0288512f5fba |
| SHA512 | 17006e2fed2416d3334182daf14f9a370d0bf59f9b333a039931a45069ccac46be3517ce25cfb015b6868e95769a540e4ed3771246b182238cbc17b1277d26b6 |
C:\Users\Admin\AppData\Local\Temp\ccAkkEAc.bat
| MD5 | e4c8fdcef2adb37dce7c22636c16fb38 |
| SHA1 | d1527e2774412bbaba53e966388267900f9e2af3 |
| SHA256 | 8b772f8c7e8ddb9af92d6eea1183c90c33337217bf4960237266e94c81e1a169 |
| SHA512 | f66519dce0ed5d4e22bba39ca351d323187e26b717c0fe3184ae1baf91b8847142b2bf85f5c56d796ea80c759ac0ef99e1c1b03bc5ab7fdbf5d4cc98fb271534 |
memory/2060-28-0x0000000000460000-0x000000000048F000-memory.dmp
memory/2060-30-0x0000000000460000-0x000000000048F000-memory.dmp
memory/2528-29-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2688-31-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2440-43-0x0000000000220000-0x0000000000252000-memory.dmp
memory/2440-40-0x0000000000220000-0x0000000000252000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fwQwkcgs.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2060-42-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2772-44-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PiMkYIok.bat
| MD5 | b5fa856688c8ad7417d7023a5b14bce5 |
| SHA1 | 8445fe74a184d7d4b5d21ee99382fc98e8666d66 |
| SHA256 | 12a16d440caab35bc73cbb04b02f93262ab2d18fe81f32871ca1615e14a44942 |
| SHA512 | 948cf2607235f26a23b9a56be8e0f3f87920a8f6dcaf595aa34cba4c0117c8cc0ab0c36c27326caa50dec6da4985ffa4613f98063c395b107e4c88d159c30d9d |
C:\Users\Admin\AppData\Local\Temp\ViraLock
| MD5 | 76e08b93985d60b82ddb4a313733345c |
| SHA1 | 273effbac9e1dc901a3f0ee43122d2bdb383adbf |
| SHA256 | 4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89 |
| SHA512 | 4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d |
memory/2816-57-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2856-58-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2772-67-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\NsMggYMo.bat
| MD5 | e09b89bfe8d1d0fd4478296aa73b4b1f |
| SHA1 | c3e271f397905330ec0e5737cc092a774ff30f4e |
| SHA256 | 246bcce1dd79d433347c23ce3fa15679a7167b8da5211e2fb87d4d675a8d03eb |
| SHA512 | 3e53180b0924ca56ee5df8371995293b1838f09c3cbb01b2b3801cc9d95c470fbfb61891ac8702c4d9ca12532285ccfde550776df5288c4dce3f99d866282a61 |
memory/708-79-0x0000000000160000-0x0000000000192000-memory.dmp
memory/2856-89-0x0000000000400000-0x0000000000432000-memory.dmp
memory/960-80-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fqIcQAYU.bat
| MD5 | 853413bed9fcb83fc49a24e5d7440bea |
| SHA1 | f2276e9adc55922cddd72de67c16f7e8f2f02c81 |
| SHA256 | 8c91b46e1af529a29b542f91a95203738d173a26cda946f82b374faf59f6ca44 |
| SHA512 | 84809593419b273833e68b1f1809812c8e15db41c3ac34583656a5fbde27e68f5e3e546eb8bd2b6a4e380faa972c2ee058014360d8ff8ecfd61406186fecb5ca |
memory/2188-102-0x0000000000370000-0x00000000003A2000-memory.dmp
memory/2628-103-0x0000000000400000-0x0000000000432000-memory.dmp
memory/960-112-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CUgEwUAE.bat
| MD5 | fd722f3eaf05b90b9ac4c3a816873062 |
| SHA1 | 94b323778f554429177b7519a0f625e8b335e701 |
| SHA256 | 1b694717d34e76525902f770d38a71d02a1d88e6bac7c5d43e45eb55e2b7f802 |
| SHA512 | 5cf8938e20aaf86cf1db0afaf408d91c60d692844eeb43cbfec3b0f73ba7e196f117e4810f79ffcffda8f7226d407f4705ee6cbeae2adff94c7d7169c02aa207 |
memory/2628-134-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1928-135-0x00000000001A0000-0x00000000001D2000-memory.dmp
memory/1928-126-0x00000000001A0000-0x00000000001D2000-memory.dmp
memory/1716-137-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AacYkUwI.bat
| MD5 | 90aa1511a015075e7e4bb3beaae9f0aa |
| SHA1 | dc8839cf858adfc80599670dc90525801623a416 |
| SHA256 | 41e400fc30ad57af9313c2ec27b2c373fda274ee91f246abb898679c8bb6f1cc |
| SHA512 | d6225821a883efda5ad6e99b40613d021c5b14bede9684eb23ca6586ebb5ed18a1bf4f03cd6406c606ee2ee85b35417820f1e7c1d55e8b960b441f3372769d66 |
memory/1144-151-0x0000000000340000-0x0000000000372000-memory.dmp
memory/1428-153-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1716-161-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hKcUcgEM.bat
| MD5 | a89c5cb67857c3c07929ce62a7f74c4d |
| SHA1 | 01d0d180c3c3e11c56439b49bddf64727097f6d6 |
| SHA256 | 45a6fee30c08b48e19c9f207630394d27dd40d4d4ec7bf460587e8f3b03ab508 |
| SHA512 | 2845259286cc7425454456a68f9ed56fd41b600c4111669b3dc025660f87abd0b57a633a5a327b7125e8ac850378d31c4131a4e0c7d7d64920232aac429ba978 |
memory/3024-175-0x0000000000270000-0x00000000002A2000-memory.dmp
memory/3024-184-0x0000000000270000-0x00000000002A2000-memory.dmp
memory/1428-183-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2976-185-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KCAYQIww.bat
| MD5 | 7c68824c7b5244cb0be48b97884523a2 |
| SHA1 | 352bdcf46d3acd628736f6721d9417c0e47fd342 |
| SHA256 | 236e98684251214bdebbce108e456d4e3542ab00e43494abd375c6d096b4d1b0 |
| SHA512 | 93035598895bbc07d1232d091f6b4a3e699aad33f6f0dd496df5ca492aef030d23a90de662438981317fba7163e754c011a230e98088a1b80d7e530c4ca0dc20 |
memory/2076-208-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2976-207-0x0000000000400000-0x0000000000432000-memory.dmp
memory/852-198-0x0000000000360000-0x0000000000392000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yewgkUkQ.bat
| MD5 | 06bc70689b1047c45d94fb8e66f5e138 |
| SHA1 | 542205b2cc7851e96ccf5638eef29e9ac07d160b |
| SHA256 | 5539466e806a350341ca869e20326d5830a0b01d7267d339c0ce97886c1f556f |
| SHA512 | 32a9662b2c413e098a8f47ef72974d0e0e86d168102f56f7d4551dbf3bda687d83a78b729d1950b46a506cc658d9d710ad6a87fdf0c39fe55f5ee9b80627e0d4 |
memory/1028-223-0x0000000000260000-0x0000000000292000-memory.dmp
memory/1028-224-0x0000000000260000-0x0000000000292000-memory.dmp
memory/2076-233-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ikckMckc.bat
| MD5 | 61d7fbc60d2910e54f48f94e053035f4 |
| SHA1 | 26187a33b4c45acd9f10168d1b5adf4edce16e73 |
| SHA256 | ad91b5594608e921f210a758a66df719a39e3e11096cf56f5c31541569d7d3ef |
| SHA512 | 3f5c6a7c69420c356fb405674642973977a3aeee73fded55ca8e3180418f06174773463fe3cc5c9537964b3c4c1c99d8a1db6b6a5c308f894a73ce5eab25a999 |
memory/928-247-0x0000000001F40000-0x0000000001F72000-memory.dmp
memory/2536-256-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2900-255-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sscIAAQI.bat
| MD5 | f4b72445cca1a4d142df11408771d150 |
| SHA1 | 7b9c62881b1e52407536da92569c07a55e059e3f |
| SHA256 | 60300ff8f18c3a0a1da5e190cd19e1e5b84f8a4b198805dde93e16af696b11ba |
| SHA512 | e7f1ef6f249ae33b5e5caea93187ffecc7d26af6dd9da2236581da87f075cc45f33b0f3ddccaeaeed9d8a7ebfcdb6d5488ff9d3de2da1a5ef77a34eb4fb80623 |
memory/1628-269-0x0000000000270000-0x00000000002A2000-memory.dmp
memory/1464-270-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2900-279-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FKsscAUM.bat
| MD5 | 8c5b64e5856a5ad19e8cd203b07e178e |
| SHA1 | 94efdcfe91c47169a9e304bf35e484316bc8c9f8 |
| SHA256 | 0a659e2d80170dee798114105fc8a9c8985d55eb93108eeaee2fe925e9392f9f |
| SHA512 | 8ee5a9e29ff435bc8dee3ff6d140a437f0be411469302a8f8d078e4276d5978e2899ff1375b43f888c80c45b6e451ed80ac8a10db21895fddd2c000a421f32aa |
memory/1464-302-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2776-303-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2520-294-0x0000000000130000-0x0000000000162000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZcMwcUAg.bat
| MD5 | b8fd148529801ddca1f65f7ed6119cff |
| SHA1 | 49e7a7967cc122dafcf510664de6a3c7853224de |
| SHA256 | 574acf9ec807c17626295ea37c110180dda7fade92cf091cc3a7694519329e3c |
| SHA512 | 973d6200c8fab0dae11327987b5bc9f1ebffe3ae3bb3cf201088ec2b5cf5258c096a84a3e7890b42ff55d12aa541ee80b898d2cfff2bae3f812f01715d75b333 |
memory/1940-318-0x0000000000290000-0x00000000002C2000-memory.dmp
memory/2776-326-0x0000000000400000-0x0000000000432000-memory.dmp
memory/760-327-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yowwEEwk.bat
| MD5 | 2ad9b2cc5234314cda5d2d0c0a136fbf |
| SHA1 | 58124b11734db41220ac69e4f7402a44b3d9ac6e |
| SHA256 | 97c2068015654310f7ce2cc3b2f5a5dbd8cfe35f2cec0fbaadccf1447045b0e5 |
| SHA512 | 0ea2c45afe0655bee7d94908d6dc950e7ee54c47b3513a5782f7565e6c8bc68ed9655758831a43c174b3b0d2861dd5a21f82005876c510542fe88069d8e934b3 |
memory/112-340-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2976-341-0x0000000000400000-0x0000000000432000-memory.dmp
memory/760-350-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mEIAIgQQ.bat
| MD5 | 1eac9cd522d3e9af45d2c047d9be40b1 |
| SHA1 | 509438edcb182da7e69cb9b9443f56bd66000694 |
| SHA256 | f6848823f502e75da1dcbf308b1a56873799b279a8d1d530cdc06b297f483bd6 |
| SHA512 | 0b2013575625a77eccf839b12545c9e99c3f0a39c65275d84f4f4c7f23b2f149a046c4cf467fd8269bc78264655836e237fe6c7f7edd3ef5ddbbfb805fbc6935 |
memory/2976-373-0x0000000000400000-0x0000000000432000-memory.dmp
memory/560-374-0x0000000000850000-0x0000000000882000-memory.dmp
memory/560-364-0x0000000000850000-0x0000000000882000-memory.dmp
memory/2504-375-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jKcQMIwY.bat
| MD5 | 4720475fad77665e4de0d7a5ac3797d9 |
| SHA1 | 6456fbf23f082ecd886ce7ba7e448f9903bb1f65 |
| SHA256 | cf453f43b30e82e1942dbfd8021c73ba193ad8ea4cd26272d4504ccc19acd1aa |
| SHA512 | 33c4afc553a215b7dcff5eb65d7a621680becabfa4419cd34c734314443f13721224612f794dda14ace68519c7b4029b4a732d323344ade0a58b678886fc03b3 |
memory/1100-390-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2504-398-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KGEkgMQY.bat
| MD5 | 37eb4c07c30b4dc5edd7a47f2450bfcd |
| SHA1 | fd965d4c409b4d58206b686df1b7a24b7bafd727 |
| SHA256 | 740e69f20ea9e0de4887cca75130c1a1eea97e5e132d730649ac818fdb585b4c |
| SHA512 | 407f88574933a8572290c867e939af28566f0fabdd4b2fa7d6931efeb33aefcfd4be9dafc7998740089ec3b213630cf7b2abf04868e7756d37b05d27d730e0b1 |
memory/1100-419-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1764-420-0x0000000000120000-0x0000000000152000-memory.dmp
memory/1316-421-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EugcsgYE.bat
| MD5 | ffba40aaf91e1acbf2ed7b32735342f4 |
| SHA1 | 1e6d6392f1cfd5be62a722bbdc317cd211a0f6d0 |
| SHA256 | 7928602d299dde46f35afdbf667d0b6b14169d67d12a4c37d83597ce227a7256 |
| SHA512 | 59217020c5b889b1f6875bdaae75d0ec8450de029d5651f9156ecef9fd152cc9fafd2204c691538767f05f48dae4640cbac862d5b05c0db919d6d42cd5489f61 |
memory/1580-435-0x0000000000400000-0x0000000000432000-memory.dmp
C:\ProgramData\GkEwEMwg\LeUkcQss.inf
| MD5 | 1805dfabfa64eb1117182e4fecc58986 |
| SHA1 | b317b2f40c4622f68702c9b907b71bea372fbbe0 |
| SHA256 | 0a358cd476d44bb6589d0103e5d9b1c4154a3d8c53b0a7c8d53eaef9bf733bee |
| SHA512 | 1c39e32e7b7a24396bb6ca12bc43636e56b37c94191793d96028da118a29425023192941f448a3be2cce371392c4d4611222e16cdc6bb589ebad26feb1c3535d |
memory/1316-443-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\fIwEgMMk\TUcIIAcg.inf
| MD5 | a53ed9b7e6e576881d499a29822ae7b2 |
| SHA1 | bcfec6b18047d724ae0498cec67c324a6434d5cd |
| SHA256 | ce751f2822537ee3b7448c8ee2a99e41ab4ec4e31760a4f5566fff4295eb7527 |
| SHA512 | 0145a064b9d76ac516e63e3099ee61f0444b54be69f3251aa5999bed1c4076f4cd4f2c3c919eeeea5b7dee0ede2fbccc359c210512d9e782e28559f131312c1d |
C:\Users\Admin\AppData\Local\Temp\auowUMUw.bat
| MD5 | 0fc9fe667cfec1c84388584e3c6ebf9d |
| SHA1 | ba241cfdf62cab1a28a8866b6069fe7bcc42385b |
| SHA256 | fec390ff8553dac13ce4087eb2f0f64d7539ebe84538fc1f26ebf20a3c4f1422 |
| SHA512 | 6e42e3832a214862fc71530224c3c203042517422e629390b1af8b18440921571bee7aca011ff86384fb8b0d4f55ddc61bc21eb2a9a6c7f207d9fbc42b95ece7 |
memory/1580-467-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1428-468-0x0000000000280000-0x00000000002B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dEYMcwMw.bat
| MD5 | 8dce5f7d678fbe489814e34fe78bffba |
| SHA1 | 4f5a1773cdbd7ea806f0cd901d2be89364c2a068 |
| SHA256 | 63c0d80e5572fb0b67f47b2d2fe9c55d322a8dceece02f275f5d53522b7be221 |
| SHA512 | c0f0cb85c96d226803e338712409cce6096aef593e40d028dc65b3583ec711b494b363eb2345431702e818f29056307992944d689907b6849e4d5ed2421c50fa |
C:\Users\Admin\AppData\Local\Temp\VwEEwsUs.bat
| MD5 | d9cf8377781756a87cef4b23d37d6ee7 |
| SHA1 | 9e5952bf4df490e0e961e5289221fd7c6e6fcea3 |
| SHA256 | 8812227a8e3dfd38d05b0f147f38a1c4c817291e0ca28a7a08e1d498a54cd914 |
| SHA512 | 137755555583b7ba3b709bff403ddd715623a9a3ad9ae7ddd85b4126d32c5cd794926d843364af5f818fa054fd734c7a4115d31d8e92fdf9c26041b800ccef44 |
C:\Users\Admin\AppData\Local\Temp\SiwIEcMU.bat
| MD5 | 3aecd72771f1153cf4b4f3899946ea60 |
| SHA1 | 79031e5fb303bd612c75898d128ddb7ae25aafaf |
| SHA256 | 817e666ffcd1a3bfa37bce2b24e4d257a8a2f366c680f010fa8722846af46385 |
| SHA512 | 39092757a8e04376d7d9030e6d673e2f1a530ad5e8e54f047c9d452932e635c3775c99ad9334665d1ce5a427718c9c27d82d67a608322e423ece641e4c0a5f13 |
C:\Users\Admin\AppData\Local\Temp\sGYMAMoU.bat
| MD5 | 1cd4485e85ea7b9896432078a177135a |
| SHA1 | f246a65700a8e505896393fcf4fb10de2df37888 |
| SHA256 | cb83e5d12b8577f7e0a22351f20270e4af70709911a7903ba4a774e03509a124 |
| SHA512 | edc9cdd3d1c967bcbe92af87c105ee28739a6717f07b25dc99a4e14962e7f07f04d5b9ba9eeff1af3901b9ff86a74537d43619edc29138076355ba8ec738464a |
C:\Users\Admin\AppData\Local\Temp\QcMIoUMI.bat
| MD5 | 9eaf079d823e21dbc01da28fc80d0126 |
| SHA1 | 9e5293b65dfcc4205e6cc1f4789ba7ace71fe898 |
| SHA256 | 611fc7c1bccc3b2996b41f6f3daed67d7cdcc402d8eeb3a27a0b2f8f17d46ffa |
| SHA512 | c30f13a999d514c93d83a9afcd25baec395e1282ce38cd6be4fef5602642ed7ff48adb73c69b82551116de9612cba585da98a0ce371039dda4dcfa0c57a0bb2a |
C:\Users\Admin\AppData\Local\Temp\nWkIIwso.bat
| MD5 | 248aa946bfcdbcd95917637f146dcfca |
| SHA1 | 0924f37f142674c5b3115381eabe7d4d43fd3729 |
| SHA256 | 052bb575e052e79a80c6f8a874696d7b8e4e0d0d5d50b4424c04ed549fae2f16 |
| SHA512 | e82c4050d75f13cc18668ab2d6084fcc16cd167559dc3f23fe7787b794bc7fe19d7359bfb37b36dfa594ea81a6979b030145ca4e5a76b9df46066b60cc2315fa |
C:\Users\Admin\AppData\Local\Temp\gYAEgAMc.bat
| MD5 | 76656c73ba69f944f631020f19eb406a |
| SHA1 | ca6ead4bc47b2ee0ef5495c1e6808592e34ccd84 |
| SHA256 | 8b6509d1712fcf2cdd2e7d1e946320bb60ffba9182cff1fdcad473f1f6c1793f |
| SHA512 | 328be7999a173e14b91e533fb3fec36efe52a20a89b4534e6dacb4a8bee3d3a04e770c0c069780c444da0933125ec87f81139b8577ad9a165cc61eb9e6b2ccca |
C:\Users\Admin\AppData\Local\Temp\bowscQIY.bat
| MD5 | e949ecf5e8587c27bcb9f7ad6f17724a |
| SHA1 | ff5ac0b6df7b059b8e5ab877efe8b9abb0e275aa |
| SHA256 | e8a796ff21e2011dbac34e4e31989fa2c789bc0e0e0b0428bba36c5c3931033c |
| SHA512 | b45f6fb4cf93e302297cf628a03728a58617582e0159f20b7c160a3ce085d005c69b113b2743d7be4d2e0218804b86ef90965200524bcfc6c6a394b2a1f7e8bc |
C:\Users\Admin\AppData\Local\Temp\nsEYckQQ.bat
| MD5 | 7cdcf54d2a318a043b311bfcf5ea6081 |
| SHA1 | 799e04122634d89bc2468a0c34ecb4f515e94195 |
| SHA256 | d8d4faf322784356135afd255237a94a109a9853a2a5620e35362524a1a78696 |
| SHA512 | 592ac0e7802a16227cf4d3b2b95f0a3b768ef9dbf5b8da40f6d1eb90d7c5e857bd4c209d6598ffddc9e38cbcdee33e10c0dc567d0a41ff55a865be447121b47e |
C:\Users\Admin\AppData\Local\Temp\dwUW.exe
| MD5 | ee7435536b1b9e0a9f97359082567895 |
| SHA1 | 2d3bf383187d005aec0d19ffae7b45f7f3628c95 |
| SHA256 | 2b198a53dd5574f772533c45946b4e5fef981195f648383e4a5f5c7e721fa08d |
| SHA512 | b7c369e4b930d220cbc5f8f62a16f3e7d7492b90323aaf35a9f06a9eaa48a986bb8ba27f2f3dc300d5140b92037f1fb0ac500ca4778564cad702a3434bba3cbc |
C:\Users\Admin\AppData\Local\Temp\hQAkcccA.bat
| MD5 | 2a97a36c1bf939c82afdcaf0a776fda4 |
| SHA1 | 50944cfd5d17dce56533bb6424f9f87c237b5072 |
| SHA256 | d0522cda57087c1cce4f1728aeef1d38467a7c5b4e26dca97fbb2d2991fc7468 |
| SHA512 | ebde1d90beebaf03ba361daccd6a5e2c868315901f9e423a1140ccdcf0a358b60d63835842bcb666a11c754a19c2ce74b1cd73ef5c4d78da388aa6246c354256 |
C:\Users\Admin\AppData\Local\Temp\JmwEIYIE.bat
| MD5 | 0a30b91a48f736b85944039b3458091e |
| SHA1 | a8b7e45f0b09339ff4b6c8ada9a9c914c65ec145 |
| SHA256 | 00c01058b278f8a26f30331c99e041b8eafa6cefd67b26eb2e0cc61e745552d2 |
| SHA512 | f71c9a680ddb05e0f64b1cc69cf2bec780c2fb93b16f2616dc3e9f1314bd6d7bbb2265f351af68bd4e3dcb334dc62b392c6aaa82ebf270d3a58cd6764d7de654 |
C:\Users\Admin\AppData\Local\Temp\tikEYwMw.bat
| MD5 | 0c64b43d3bf82cb6f90bbdba56b66153 |
| SHA1 | ff3b8159b6803e017cd295c2c1839f23bb0017d4 |
| SHA256 | a4619ddd9546acbafdf3bd8448d11170286a99995f90257441c79e17248c37a4 |
| SHA512 | 80fdb9ce2b88fffbff3ff6a248969e375055308b166a7ad6dc76d20e9ffa64d270f486cb51b420f4ed3d44e5148c73513f21b1e42d84d58ff0f8a76f11017478 |
C:\Users\Admin\AppData\Local\Temp\ZuoEcsgE.bat
| MD5 | dd38058fa5bf94a6a9bc758901ee67e7 |
| SHA1 | 5113c527d52707c8f35527e93537815165e684d6 |
| SHA256 | 10f61a113a5517a8c81ad9718cbe00884d5c46cce57e664d740221c019f74683 |
| SHA512 | 49ae378c71e99d9fcb327256e519f526ede141b097bae107ef383dac20fd457041e8824fde13b877201a99765a72b85aa277b52fa792120ec03de720056d2add |
C:\Users\Admin\AppData\Local\Temp\ZooYgswI.bat
| MD5 | e88ca39c147451a657bf0aa5507a486c |
| SHA1 | 0e1dbe0f637b993ee8b2343a3481ef46f574e47c |
| SHA256 | 0b0abdd605ab4789ae7c70f0677b9c33e0594b6eafd0205f9edb03230ed75800 |
| SHA512 | e915300cd98062e9e46664952699a275d991b15de69533a4f84fef96efa3e79a78d4909ae3e30dd1a065534f31de9b3bd7e2199c486576b0677c4cb14b7e2e4e |
C:\Users\Admin\AppData\Local\Temp\NMMokoUM.bat
| MD5 | 98003f772d4c04f00564925998b4a612 |
| SHA1 | ef96cf8e9e76dd9592dc7889d841b8d32bb60e27 |
| SHA256 | e2032b4f4f956af8fd70e5c3a368350b7dc8b6454006f80d04979becb5093828 |
| SHA512 | 18c7fd7433e187260b028fcee55d3f7817fbbb14b120917d1fdd442a472da516b2a212ff52e84b0b7c7621b031796c117e6df64791325e3423e50e7fd62f7e7c |
C:\Users\Admin\AppData\Local\Temp\eAkYYsoE.bat
| MD5 | 8a5a552255591cfd696dde93a97d42d3 |
| SHA1 | 50bad31f0e6bac2907b15f3ceae66aa89a045fea |
| SHA256 | d8e06f07b3630c36965ffeda7418c4ce48696213f5b9e8b68ec408b0409b377d |
| SHA512 | be80866d77f61c8cbd3dc9e8ed04cb52a5d638c2aff9d517b00c365407beaa1a75b3d5b0bf8f3444abac02895ee1c88bbda1be156fe44e44a410984f32ae4982 |
C:\Users\Admin\AppData\Local\Temp\tMEMAUkw.bat
| MD5 | 8e110b0f67dabe06a2726e1da35b641a |
| SHA1 | 12899603ccc9b4fc7d3ad4fac7a5db8971ed3ac6 |
| SHA256 | e92c0892aae2481748856200fe32472e22dda6430be7016f3d86e065d6f488e1 |
| SHA512 | 39f4f68f5420e04541a074d3a370217467059d879ef05449382be8bc76b11facef8a3cf9a01aa3a5fe82754924672b43abd44623ec6b28fea46edfed415ed1db |
C:\Users\Admin\AppData\Local\Temp\UuUsUcYQ.bat
| MD5 | 65b151f566f33949fd4d76057da3fb9c |
| SHA1 | 7c4027bb285e5fd6a2c79554e07fa1f0b658c230 |
| SHA256 | 5c34c25e7274c7c8f685f6081f8fc9c1422816ce2a6d5365eb45c63979cd631c |
| SHA512 | c7a6117bebc0c26a434783e7bc84ba6bb9bbc016061d09c19e437d72ce1d4747394abbcea2c22414cb20b14e3ac8604887fb40486557afec848d7bc3c5156547 |
C:\Users\Admin\AppData\Local\Temp\zGoUAsEE.bat
| MD5 | 3b51052c4462286e411e4572081e3f3a |
| SHA1 | f2759f6de7f2f25763597c623b3a930b97d72168 |
| SHA256 | 6f54733fed230a2b8757ead6e166b4014a6eb03f442f5887afa9524d1fc7916a |
| SHA512 | 3996b0fc30602a5653c0dad2121b22069b43805a5a8a15f8a08603a16dec9e9194420c7ee3339d6a720d8b3034257e69901e873b83814851944a8171aa30d48a |
C:\Users\Admin\AppData\Local\Temp\XKAgkooY.bat
| MD5 | 9259c8756b5200693db0153b7e30791d |
| SHA1 | 94b2bc27e340e2a72d3e023f735a48e66123ab79 |
| SHA256 | aab5caaace560ee72fa1d7b39cf698dd3a4fc42040ba8dfd225e8773db7d5129 |
| SHA512 | 5c8e2f310fe164aaa7357659efb34f3c861960fceaee0e501b2f35f1450267b5de1bab1a9996c1591e48ab8992425a45756e73bd3d1d9bd27c037387b1bf8089 |
C:\Users\Admin\AppData\Local\Temp\umUMYAcc.bat
| MD5 | 60ff1c596299c51d4c16f650cdff7338 |
| SHA1 | e25e3abbec7e1c0c795c27e244621d5921987ac5 |
| SHA256 | 9191091ecd1d8f69a1c51391a15ef1e37a830c052066a9e1921e75d78945ed93 |
| SHA512 | 369f9038278cb2a28397f07c7dcca3efbcb424c2048df466aa2fe25103bc5d3eb81f7d17be1efb631cc1b1e8c0abb1bbada22ca62bb5ab4a0c58c0afa4a82333 |
C:\Users\Admin\AppData\Local\Temp\HyscAUIY.bat
| MD5 | b3e8027ecda6dca13987aa3485bdc206 |
| SHA1 | 4d5332bb549cadadc271859c7d71ce4b7ebb5ecf |
| SHA256 | 70fc8ae4a94aa0bb26422d69a340842c16b7c5006c646e6d6e28db59213747e7 |
| SHA512 | dc0af33cb3e60b4ea3ee9fe8275c2b15d169c8ca12d8e800210a92b1af82cc72c54812411f87206c2fb2cc62b2fb101e9229070ae6c88dfcbd9f39ef1fd7022a |
C:\Users\Admin\AppData\Local\Temp\iAQMUwwI.bat
| MD5 | 886d73f46d93adddfbd9e5f752a84eb3 |
| SHA1 | d883da92e5ca865998e2ca3d738a04c04a63dab2 |
| SHA256 | 3d8b26b4f6c504371a6d8d9dea46fc030d3d07f89e48dd4dae3109a56e3c06a1 |
| SHA512 | ad0a9530e091e6b825dfa8b0d92bd9ac07c907c19f61681381f708b61914b29fc5e4fdfddd08ea59e6a46a0b99be76db0640d5f6c146a932534a65bbcf5ac980 |
C:\Users\Admin\AppData\Local\Temp\HywsAYcg.bat
| MD5 | c3089e3a3ea386c1a3d7152b62d2cd62 |
| SHA1 | 3b882096fa41d9e401cb5665a50683eb1ef01f9a |
| SHA256 | 0879b0f429dcb670dec5fdde81bf98b099db55764b7ea4bd82203360244fabd0 |
| SHA512 | 1744e4580d21974eb1c3a017f3c867348d4d402786ec7b3c3e9a06fece8565f5ceff68cd95b045b52c5786629b1e616f61e43f34089ff31cadea13e96b57e215 |
C:\Users\Admin\AppData\Local\Temp\KwgsgccQ.bat
| MD5 | f8ed9da1542d529be8d8de3b3c020ee4 |
| SHA1 | f196a94aa8802cffda1df4d7221afad2209fdd63 |
| SHA256 | 9326cc10df86cf302b8b4b9fbfe4be3f9d84624eb43b88f3ed092e608ba93bb7 |
| SHA512 | 2265297df1582240a6db15aa81fc60e1483739ead8665012e8a5e47f44322c6088e955317f15ed60791da9c9a3e80e3dc7325629594256157b1b50489c176dff |
C:\Users\Admin\AppData\Local\Temp\QsIcwAIA.bat
| MD5 | 47c43419c181c9495018a48e7ae4b828 |
| SHA1 | 5e0f90d987adcb9b3b607cdc20c0a22f675cb41b |
| SHA256 | 2d0b6033c4c4772989eaf1f2ac0581de6800291a805c31bc8df58d27799f60d9 |
| SHA512 | 3643df4f696c6186da5f1671bf6a7cddb0c4962f8f6d053eeb87ec4f325a7b451da87a73ef1dbe947d3b66fb06bb748488ad7ca47d17319ffede9d0e677714df |
C:\Users\Admin\AppData\Local\Temp\zuAYAMgE.bat
| MD5 | 95e48ac2711c02a3336f11fe4f26a7bd |
| SHA1 | 0fa8b5f994b08b815f583df3ebe73e8587ccaaa9 |
| SHA256 | da093d9174a2a4605961e47edbaec8ac6479667cd999eab9433106711ff69ccc |
| SHA512 | ca52ff98321744b1fa08fd91fb4e44da3f1691e408e198b3479e8d22da6caf17ec9e13cc084687fb1047492d8be4de396c9b2f8dc592f8d2977a33734861f96b |
C:\Users\Admin\AppData\Local\Temp\kAAocIQo.bat
| MD5 | 37eadaab2317b4e7e178454741c28187 |
| SHA1 | fe5ccfabfeec5cb65f692e7218df4909f06bb7ff |
| SHA256 | 7cd1a8e916dd17e1a06e14a16d053c428ee1b4607e3635031c11cbcb6b1f8f85 |
| SHA512 | cc66b21d974b7a9857e18b0da72fe21a203001ab9370707c666bcbc63fd462bbdf97f3e27d16df9e84e880ed40a689260ae4dbd1632c5d060b7c1e4c26968dcc |
C:\Users\Admin\AppData\Local\Temp\RckIEMYE.bat
| MD5 | 997dd00d9531c432abdf3f481a4083ad |
| SHA1 | 1c31b8b21ed5aa4c18dc5230e48fc406788f7f71 |
| SHA256 | 12b1018449ef943371d3205e5733f49510d4a4476a171f4361054c857b2f7eff |
| SHA512 | 449839006591860f6598295c6d93b906096dbd1b4e3b87beba3e00334ba1a89d27278ea53d4f1ef3c058f3b5b3fe47b5bb16688382aebca7c490bccc3546e327 |
C:\Users\Admin\AppData\Local\Temp\MyUsEkkk.bat
| MD5 | 9e61d89db2333c6775cdf92b68eaf4b0 |
| SHA1 | f969e6e78ec374136a33caae01be82fa42e45cc2 |
| SHA256 | c1c5cf1c68c40567a3780c2040777988a2f7a8e888ccf57b60bb05b0a291d6e1 |
| SHA512 | f0625a31aa4fe0266257d104726ad1865e5c4c0b5362acd984ded66bf3586c70937b4e1386a3e1cfc78736d45632111f2bbe7b96b0cf08ebe7cc3ce6b344d84e |
C:\Users\Admin\AppData\Local\Temp\IwUsUsUE.bat
| MD5 | cfdfdd2a4221634dea4d4591e39591f8 |
| SHA1 | 55b4ffa5502848474ab76951975dd355b7b74e40 |
| SHA256 | 2e4e673bba67bebed4a7a16f230bf2b9658e448dc2b1993c399d0cc413b1441e |
| SHA512 | a44bd1c83c8040b43d668fe8b2a7254a5b7974eee3cc116532fe3f1f78794c78b749b008526165b6292a72977959b10ea1061543c06016b4676e922074b3b553 |
C:\Users\Admin\AppData\Local\Temp\vAcEEkcU.bat
| MD5 | 6fb34f0fd3db1ab9399dccef287678f8 |
| SHA1 | 7d7f5eaf95a847fa90ec1445e6bc799b7eb3daf6 |
| SHA256 | b682bc80509606fadc463a51f2ed57a86d115926a6896ff218d690db3a796ccc |
| SHA512 | 9c36e82c1b2c35cccb35c914acda472047c3c7374357a0118dca7d6c3852a579db7cb5d0404e70cbbcaac1a1cb9d9f0c03c0eaa0e3f28e0d96b1a42cbdb80bc2 |
C:\Users\Admin\AppData\Local\Temp\oYoMIYcY.bat
| MD5 | 7ab2b1610b31de47b60b42ee442bdea1 |
| SHA1 | 365f5165cfe925070b152dff244fd2a146eb0049 |
| SHA256 | 241e1c6ff51a3978f83d399109321f9c453d02f378b48ce9dcd0e6bd0a1fba96 |
| SHA512 | fbb10bf7e1765c5617e4a3b65cea5e2acbd28cb267d941286239838a95c5824927f054aae7a0f8cf154f8085ef88f56c8db686f35a5264716d1e81710eab29d6 |
C:\Users\Admin\AppData\Local\Temp\eogIkkko.bat
| MD5 | cee08d68a760d7bc274e69459569b6c1 |
| SHA1 | f815622fcdd1557779d5b32c9db38ba89bf17941 |
| SHA256 | ecf58b45653bdb1ef095ddb32400d3187e73b6dd5882c729910ad2ee1fe805dd |
| SHA512 | 1bb69beb36e8414ee68822326c6ce321118592e47ab437a05d1bf77547227dc9f556c4af0f75a3691495bbfeac883517a9e22b3dd43142a654fc9e5abee9b1bd |
C:\Users\Admin\AppData\Local\Temp\TugMcAkc.bat
| MD5 | 016609ac3b8cb05e249589e1730b4c4c |
| SHA1 | a4b75e2d322ca6a30621675a4cb44853799c4239 |
| SHA256 | 20cca6764df51ed854aaf3193115236b550d43fdb8ce2b5428874a82c8269745 |
| SHA512 | 15c90a7b27a2f280b4d7df2c873c0125f139a4dc8cc265b47a54eddfebd8b83a47d81ac0869e8423c1124ba8f30d475df86d2ab6c8fa3833cc09c912d62a2c28 |
C:\Users\Admin\AppData\Local\Temp\dcokQkYA.bat
| MD5 | 894a5a3407b88a39fb033d96de371cde |
| SHA1 | 9270a5a8df154efd060b7dbba2a46260c43b0a7c |
| SHA256 | cb76fe8c96b38a981fca100aed46d291ac75228ff1208155d3ed2b3314123f46 |
| SHA512 | 95bf55188bb483214888a49d03f79e29920f0124f3269f20d409bfe6396dfea71bfa88b20b5755dc6a3078bd804e0e2e371df37f6824b720e3e7822d6e62ed65 |
C:\Users\Admin\AppData\Local\Temp\QCIEsIAU.bat
| MD5 | a46cd446dc367a3fd42bd179c2d58948 |
| SHA1 | bb87d82e077f443e6e13a52d62b52a44d732ed16 |
| SHA256 | 0f79aac8756b8ecbb1328a8f4fadf800a0177b70fcc469780f4ab83c700861e6 |
| SHA512 | 69a89c59191dc993555dbe0697e212048da9dcc4a7b77408cf8117f1e06cedb7f24426bfac5e955d0c45a5eecffd9ba90c411d6c0455d0aebec8a02460e90666 |
C:\Users\Admin\AppData\Local\Temp\UiMwUcEk.bat
| MD5 | b1e20c85131f0893eba42132f893c889 |
| SHA1 | 6d608a0b2922038e7cf4c665577703ca3f8c1d0c |
| SHA256 | 43f9910510bd4164436c14e10861b6cf732be93c3913783aa239df63d49e9162 |
| SHA512 | faf61b855413c56afd83c1810f311da260c40636391a1c90aff256c327b4da94c24b6c5591dd341057eb2912d96c6e5ee8aabb7cfb3476c7f2a20053fd26e6b2 |
C:\Users\Admin\AppData\Local\Temp\fGUUMgUE.bat
| MD5 | 9c535bf5f3c79fc5f7f41043fc293d9c |
| SHA1 | 7c1991770193976909136652de8d2c38bad59360 |
| SHA256 | 51fa08b4b78dcef50ecbaf2177e692717b564d50a5d2b79e269eb3c013a5ba25 |
| SHA512 | 12ea8ec29a0cac1507ad288e382b6b53b813d74255847d8bc2235de6e4b78b2c0c703fd167f3d9d9e0667e094ceadcbf2ffc6dd27345dc62b3ecd81dcab11ca1 |
C:\Users\Admin\AppData\Local\Temp\GYoEQAwY.bat
| MD5 | 63e48abf300d90fdb4acb45dcaf31dd6 |
| SHA1 | bca005410c5259deafc8dc81dbcb553123edfec3 |
| SHA256 | 169063e190207d4b6e03db2a8961363c3ac8659e048d411bc589cd2aa1ae5fc9 |
| SHA512 | 76aae27bc6db09fbe2b7c86baae42f2f2f8444db3dc3b47860becfcb6381c5e0d21bb99b69944c4ea39776d875180fae6223a29da0e1dde7c2126d27600d07fd |
C:\Users\Admin\AppData\Local\Temp\lQkUcwok.bat
| MD5 | b60715ea3667e611a9f299ccc170c3a3 |
| SHA1 | c4354089f5833a67cc5cc841461adf2c0c402442 |
| SHA256 | cf531dd17dd51e1f12689779164a174e194ce46e7055569e49659eaa7462a3d4 |
| SHA512 | 9e721bf045278f15e1c661d9afcef5b2b3adca0cb10edca08f61af53b150ecc8fa741cf36c372594ab762af5af38b702a3d0399f0cefc7ebe975320f5dd5c9cd |
C:\Users\Admin\AppData\Local\Temp\VqcEswok.bat
| MD5 | 5e6a49ed4d0b8e8d756b7ce51c85b151 |
| SHA1 | cea20171823e5c486fd4fdcc246f7757f8ea0ce0 |
| SHA256 | e38683ac20249ad45b831720cc7e6b2cd4f3588f7f807c659df355e64fa4ca1a |
| SHA512 | 8bb76da3ac1fd04045f3d0062802a714a550d353c481173d051531db99398fdbefa699b5694aa7c5eca9681c47504bf8e75d993b7a4bde39b1d78dfe64938543 |
C:\Users\Admin\AppData\Local\Temp\qOAgAwEw.bat
| MD5 | ba20474334bc8df822e54038126ec7d1 |
| SHA1 | 393e719f8cfc7c07a73ddb5a849ed461564859ae |
| SHA256 | eee90b2ff5cbe2040f1ab5fd32d6b7866f366ee1d4faf6074c9381aaca994c02 |
| SHA512 | c24490486f94ac6e51bdd7e65a753e9ad090bfcca8c28b21702736529c527f9349912967d3af0f32b92cb030a61835fa838640d38f9c506e296b78bd1c42ee39 |
C:\Users\Admin\AppData\Local\Temp\UewoQscc.bat
| MD5 | d2f9ee0753aff03a977928d620fdf96b |
| SHA1 | a6972497a80c9e0b7efc639dd8819321540d5b6e |
| SHA256 | 7819a22687c84a7afb264d90ac0741d93ae31f50a85c6be754e78b64c2d5705e |
| SHA512 | 9a85677b967c200fe771b2b256b9601d50ca56d3c1e588221772b51ba96d93c0dd16a53117b13fe70d73f81745b55c60a46516e54c4d9a8b903de3d90fca9baf |
C:\Users\Admin\AppData\Local\Temp\YQosMsIc.bat
| MD5 | 7b1269180bfcf09c06232d1bb3a42717 |
| SHA1 | 224fb454d41214fa7102e83bdc0e30c493c4a86c |
| SHA256 | ab0c29de3df9aaeedf04d7c5fc4f7a4803cf40ef428b3a7b303d376a8102b304 |
| SHA512 | 06f487917df3511f62647879818786547f2260fb59c972c5bf56053c15a37aba108345d6ddde11bbad69bcb28756a48561241702ea668d61e8e40eb267d8e838 |
C:\Users\Admin\AppData\Local\Temp\VUkYoQAg.bat
| MD5 | 299f83cd3263a3b169974c80fd877ebe |
| SHA1 | d52e5078ab9ba6204248c14c7420f47ccbfa04c0 |
| SHA256 | 0d477aa3552a85983439bad3cc799361ac167e0d8667f6f3600cfd871f6df67d |
| SHA512 | 2021394131439572037dd4c6e477f6ea4bd6a46de26e17136ab40d51f71b4cd7fd3685086b7d303a191904b5b7cff9b66815cbb57756fccffc7a64aca1618072 |
C:\Users\Admin\AppData\Local\Temp\OQUcIUIQ.bat
| MD5 | af3d425309c93287d7791b426d34ae67 |
| SHA1 | 5fff5c8052d38b5632321e108e4464406f0a3071 |
| SHA256 | 8327bab7859d1d28f2820d9d349333dce06e0913a0527a04889e821ccbec2f9a |
| SHA512 | 046da4e269f88aab67ff81b4e22b32bc994d812908e1c546c4209ca67ac4b282cc1930edb3b625bf9067b921643a7e8bfa3b7e93d4bff1bc117b14bc2b62715f |
C:\Users\Admin\AppData\Local\Temp\zksQ.exe
| MD5 | dbb96ef697ac8c7d575400d247ae15fd |
| SHA1 | 1ac1448266536de48d34882c4882731238162088 |
| SHA256 | 07df8094f53046be2aa42650c95d0877a193e8089ded8b7fb3816b0ffb2f19fc |
| SHA512 | fd7413fc0b67df478261715468188e11b8f9c5d9c7b38790cdf7ae8cba11b7d4063f4a523a6adf002ec11dbdbbe3c5331c9ef62c9f3642a54f636842af5113cc |
C:\Users\Admin\AppData\Local\Temp\AEMk.exe
| MD5 | 5dd2dd98d766f95a5409688f711bd543 |
| SHA1 | f33abcca670ce14d965b2d2c86755fb2225fdc88 |
| SHA256 | 9f7ba1f23d5afe51dbf62002d2035331c7586ca7d0108d7e363ccb579ba61f9b |
| SHA512 | 51ec13fd155dc8a2344d8742ea75c4b57da5d39225ff950abb0e4f9750462967e305271a2c5d6174003fd80395920ece20b949daf320828dd517e11d153d0038 |
C:\Users\Admin\AppData\Local\Temp\FUgU.exe
| MD5 | 4b4103dcd5fcad5dd4f61da1a281faa5 |
| SHA1 | 07c6b90d8e93ca65c1cf652c59bc8e2d14bc8279 |
| SHA256 | f05c9ca15f65acbf1173e19c6a3877f798c0b80985948df402397fad314e0e17 |
| SHA512 | 4ebfe7f8a212cba14763acf064b036600f5362639c919c5cc10e40ac94bc2c68c3c70f456be900e0e7498104cab97b372fbd13a7cbbb209b0d74d3ffe0c18659 |
C:\Users\Admin\AppData\Local\Temp\woEU.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\UoQy.exe
| MD5 | 155ec0ac66d4701614d0a7c7ceea09b8 |
| SHA1 | add26c77c7afd2bc013a007e474e7de27bbca35b |
| SHA256 | 0925b9a57daa16fe7481e3cdbe4269dace2a1cfc18f6f95b8d43c84710619ab1 |
| SHA512 | 79218a8ec367c4a47581847c56ef73674f8c266851cd92be09e9b4b2177a929c96619ff6bfa418f31e5c2afaa07722dde729bac2c4a4f3380b2640ade51765c8 |
C:\Users\Admin\AppData\Local\Temp\jyIIscQM.bat
| MD5 | 75dd8b06f6e703eea3d955b74d000e70 |
| SHA1 | 99a00f50ac1e898765fdf387007b6436a23754ab |
| SHA256 | 9417c93c998871abf9cdd96075d6d977d68f1fce24e6f8dac40197d182fc3977 |
| SHA512 | fad20a31fb15fb4d988b706d6ba05061bf20690c2f94d7bd0c4367f7af7eab97321098e5c9a1ed9ff4dd796123e9e43971ec886f4d4afce47ee552e5f1d91c2f |
C:\Users\Admin\AppData\Local\Temp\KsAw.exe
| MD5 | 3950ae20bcfb86ed174cae37138c37d0 |
| SHA1 | 9df621a21a531588a132d1ad0d503b92a6707ede |
| SHA256 | beb12a065f263ab9d1d487d2cf3e48a7b472f07a01bf215835e0e2bba1b86110 |
| SHA512 | fc69527cb8923104506c5849966ab4599e59365f3975fffd71efdaf18057ad2c2d16a92c1914f05fcb0481997697fe4eeb7773b8a9e80928e04b9352d0ecb016 |
C:\Users\Admin\AppData\Local\Temp\CMUs.exe
| MD5 | f99ffa7d84352b9c1c732b72b0f4b7c9 |
| SHA1 | fedfe7d7f06e71bbf4baa801511a591a36803a2a |
| SHA256 | e85f2c299860955b2825c479fffd81f6482c0c4abb056709c63ac2df41ce798c |
| SHA512 | 317ff59074cfde7f2cc6557f2e912fbc6f4667f806a885ae43838eb5f128ea66ed4467de62a8b67324cfc1d2fefc8df11e5a9be91c0a245cd2e6c1f7a9514abb |
C:\Users\Admin\AppData\Local\Temp\hskwoAUE.bat
| MD5 | fb48284c75b87e214e35c1be58bb8c69 |
| SHA1 | 8e39888d9c521c8fe838202b57b43bb8714f7789 |
| SHA256 | 7a5f805dcd424ef75af6150f49018fe38d58c47095f9fdf933719cbdb5076b01 |
| SHA512 | 8c0c71d4cf2d4b7e328c40f7309a78ad70aa4b4bc9701c339f5d83131e782a54b857fb1ae7dec20426aa9f7fd41808422eb219ad7754001ba7381b4f23a071e4 |
C:\Users\Admin\AppData\Local\Temp\IwIK.exe
| MD5 | 4bf31e6a86c9ea791fd5a0b655072397 |
| SHA1 | 7da4a92bbc51474f75602e155c7266fc3fadeb14 |
| SHA256 | 54837adde32cdb7b21534335bc02fcc0ea80a596b497e23e55857eaabfac1039 |
| SHA512 | 9e97a07ab1cf8127717c41c195526a15e4f59ae0037a34b7816cf16abf2a9939731cfa89419e0337db0b8e5a7940aaf89ce5124c4567a707b3f129c6e89dce42 |
C:\Users\Admin\AppData\Local\Temp\YGYYUgsY.bat
| MD5 | 80a6d28c22f70e1e853c6b60bbc82907 |
| SHA1 | ee731af8dc5955637e20dabc294b815eb8b2c376 |
| SHA256 | 9b2ae4b1067640a0ea7bd255d8104cabeb5434042cb5c743923d00405a363c9d |
| SHA512 | 0f0b86f3ec94a8e92457bb6c1d93f5c9233565d15f67c33f7acea23b04454e67cef90966d395ceccd498ffcce09cb60aeb094982ddffbf795c6232f533ce5d1d |
C:\Users\Admin\AppData\Local\Temp\kUoO.exe
| MD5 | 420e7d39788f858991c6c9abc4858567 |
| SHA1 | 320736b0dbce4f91daf1f6271f0b81088fc9bca1 |
| SHA256 | f8ab11c8c4a24516966a0b1b8b8934e4f7968d60030b1959b05a1c1934badf6f |
| SHA512 | 12c5c2455367bf61badb9fe5f8b86a2c1d47d4c004f99a0a639431339882cb2809de4f126ff67322df5383408cbdf788a7571000e7fd827a40daa792560f9354 |
C:\Users\Admin\AppData\Local\Temp\joUi.exe
| MD5 | 369c08d75175653ea0269bc0ae6153fb |
| SHA1 | 005f976990b9e0230eee7228594330a6ed776e9b |
| SHA256 | 34fa73834830573769e9cbe1b9de0219a0526c22805ef12d6ad9811401213368 |
| SHA512 | 9ef5ae44214ec7317deb13c73f9ffd5b428b1df6883798f0bed811efac94c616a12430276e4780b6aa524ba1d4a788c28d019b5e3841e106e9984b5fffcd7393 |
C:\Users\Admin\AppData\Local\Temp\ygoI.exe
| MD5 | 8ac3ad2d51f71f97f7d129ad444d29ee |
| SHA1 | b7c23d3ec486693186d6b0a2d8544abd36b86589 |
| SHA256 | 7537f5ab3fa9354daa5042d7324f32af364e316bdfa361e1e27e8b4b2fd6a224 |
| SHA512 | ca69cca0f9661833b32b9e4094647a712fae5a4b3c08366de234a51f98610478545e599ce1345b94791f893ce1006a45c5c2079c59b594eac8822fe95146b479 |
C:\Users\Admin\AppData\Local\Temp\BQwq.exe
| MD5 | b7736ff3db8c56f21b5f8f625476e72f |
| SHA1 | 9aaa7c705cf73f6a60fd9fab25647bbc26a1ae01 |
| SHA256 | 2c3e10f1499ea8cfe9c31b35dad6c5d7488023d7fa24030ec7a989a405c2cd66 |
| SHA512 | 371e147436acb0e78deacf014c34ed6bbeb787fb4a54e0f6639e69e03b7a6ff4e6ec52279589130b8ad9d339e1febd3391e626629db89b6ce7ca0ea17eb528db |
C:\Users\Admin\AppData\Local\Temp\ZIQsYEYU.bat
| MD5 | 41d22427917723d197363cce78d08d9a |
| SHA1 | 38e4cfa2d7bbfe6effdc2df0dbe2c6e3e2a63e7d |
| SHA256 | 6e4300166b4a2320c87d09fbc4a8c303dcc3c894cac7edb02219723abd00eae5 |
| SHA512 | 7dcb207e97b59694673698ed5b6853454cbb583af03224b0c0f059d86e2c5a818328a3f16db7fe726631c8cee097b16f57fe4411d1d70c6d38406ec6e8ac4396 |
C:\Users\Admin\AppData\Local\Temp\owYA.exe
| MD5 | bfe68cc67f5033185a6f7ad9e5dca7c3 |
| SHA1 | 52c37f69a9cd645d95d635128583c1e1479d3ed5 |
| SHA256 | f4f2b86f6ee1133c721d2345e0bfb49429728671fac75ceaef72a3d2b5aa22fd |
| SHA512 | 8ee281087401175b5d883ac361867aef42f33f0581b8794434f3cbdf910c113cbbbe42d5d9107a34c61380bcebec99ca40e2798f6414177493c6f5a09b1626a5 |
C:\Users\Admin\AppData\Local\Temp\ZYso.exe
| MD5 | 8a443d0926ddc9ccfd0ddb4cb0cc5da9 |
| SHA1 | 3606b4571d2c642323103a1e207e87e1a8c7af67 |
| SHA256 | ac7903bd2a2b1b2fccd25035dcec0336c1db2eb6b1c9fb9327f4a3d28870d913 |
| SHA512 | 9799458526e79e55c1f03a02949c52bb1005ff482ae3f1b792152310e6b22a3f34d5502ae9c0e1cff9dde28e52a95e88845124c9a74922fedbf280f46bbd90da |
C:\Users\Admin\AppData\Local\Temp\vYwa.exe
| MD5 | 29e888312a6fa54581451f829e889f44 |
| SHA1 | 8d78f9d7a1bc7471ac18fca3c1544cfa4c7bdb88 |
| SHA256 | 93ad30cdbe9c14c0e81cf888f6e670eedd4afcd241661ea101022242868c8d53 |
| SHA512 | 6c96f2def7ba289fd62a777a8c15c3182a56df997678222894a6f5ffe436114e70ba767632c74da5109c9c05b6be9b725741939c053c7b02aff4bc88da9ec086 |
C:\Users\Admin\AppData\Local\Temp\mKQcsgwo.bat
| MD5 | 20fe2be58a2e46d530f1ee3fe7de601f |
| SHA1 | 5e4dd0cb98ce20c96e561f2f5b70831a82ffb25e |
| SHA256 | b9ab72bed4b088bd4ea37e7afaaa6a89e6a1a871cffb775698f661af7540d512 |
| SHA512 | 69e4956f3fafb8249d3eb2c74c726cfc89ee9970daa230ef9f94549312b42434049c419a3830aa8099e168ce044b4ab3a344c4c2b3b14a4d70d2ba3b3cec69e1 |
C:\Users\Admin\AppData\Local\Temp\jsAa.exe
| MD5 | 19250bb02c401f02c1b9a1112614d4dc |
| SHA1 | 0298f067669adc133e2b6610bee6c20c10f09dba |
| SHA256 | b2131553c66f4f44c803eeb6f5db96ae5b426ab9773150e3090a3a848161eec0 |
| SHA512 | b3b2e624b4e3e0c0473a8757fe051f663c2b82e623693b013170db7bdacd32566481e3c021339b38582d1b3f5b3ecc62556471e30acb7c14432e19ac55675e3a |
C:\Users\Admin\AppData\Local\Temp\Mcoo.exe
| MD5 | e57514d1768e1cd7a863b1ba45cd17b7 |
| SHA1 | ab95b3cdfa24abb2632bb41f4c92d0bad6f0d8fe |
| SHA256 | 4af2bb95157a1e76469a213ffc9c0932028b217c2bf806017c90593ed4f07841 |
| SHA512 | d820fbee9ba6fc45fcf0a6e9d724472fc2c9a22fddc75b87a2167ebf53d2b1fabcdfaff0c77a5cfc348203552d9af6424206d1a23874d9a4a3428150a03908ff |
C:\Users\Admin\AppData\Local\Temp\SgAi.exe
| MD5 | b43aa938920afb89c142696b5c9b14ad |
| SHA1 | 7b6d21f8ae256395dfd46ab05d71a6065c482dab |
| SHA256 | 14a8787572fdd2c5b8ac703103c269f317eb85863300b79713cdeffe811b0a16 |
| SHA512 | 5e5a566f34d923c21d358970ca94278bce408c49311a375c2d9833fad2eddc0e35b26bd6ebce5be257f110339d74500e1b46a80b8490d00533427c7c2a50f841 |
C:\Users\Admin\AppData\Local\Temp\pAcs.exe
| MD5 | 806f5d737fadd3a6448151a70b908ace |
| SHA1 | 468f62ceebacb2790dac69e68c59568b81a2a4ed |
| SHA256 | 14b0e201d127b8c46367e257bdd4092f6f5af2534a553ff1c53837b585904f9c |
| SHA512 | 8874c608026a991c4a480e63d550def10b3c84c638d6940d3857f73fe63f22e34682a4b3ec0c1463cf1932d72dea2995233ba3ecf83f97f1cfc08eeaee6d2058 |
C:\Users\Admin\AppData\Local\Temp\tsQw.exe
| MD5 | 01f17be8124e3b18fb560e7a05a8eede |
| SHA1 | 4a4d23240b0e7190ea0ddd9a9f399fb8e521e857 |
| SHA256 | e18d4ac498b49f38cf645f40aa28b5359fdfbf8fd6696d94b99d4592add44cb9 |
| SHA512 | 708bfa82696f68c2e5f5ee0cb3d4601b1f451e4413553accb30fa18e2c4b6fd492c658bc116b4857d322ff13192513e6a70328bbde898daaf31d484e2aae0a0c |
C:\Users\Admin\AppData\Local\Temp\VAUk.exe
| MD5 | af273bdec844fc906bd78fbaf3fb8ba8 |
| SHA1 | 9b536ebd41e106d3a957df2545850d3bdbaf39ec |
| SHA256 | 6d883229f7e7b85db4a2be22f2c5e99be75d55a8587700bfa60aa44e696498b2 |
| SHA512 | 7f0bf444f543a831afd89269e537769e1abd8d51b19c67acd9006099feb13e046949fd738bed81e0bb2563bac05630c412fa06b903bf15f64d326ce2008f4672 |
C:\Users\Admin\AppData\Local\Temp\JoQm.exe
| MD5 | e73c47b75547fdc06c4d5afeac6a2689 |
| SHA1 | 721eb127e5b4b4d52f9677cae87ffa4756d58131 |
| SHA256 | a265cc0a9f020737c18e241b363ef11c6c97082b4f944dd3a7d61974be7c7204 |
| SHA512 | 5737187a08c3bf8cc33387451113b1f756093d55010f41d76b1f5e50a96bcc163a81e3f3d4f9016e93faf7247610e66d48cfaee086e335813f03b3bdef85d3cf |
C:\Users\Admin\AppData\Local\Temp\PcoW.exe
| MD5 | 9e97a41ecd129c78d2fce21ad1d1e510 |
| SHA1 | d2c8a5b8c51a287957837ae3d0e4c657351eb3cb |
| SHA256 | e14e3c61b54aa0052abd1338db0bb76398e10bae5d21d6c32e7625b66879e8a2 |
| SHA512 | d35d4cf88d343df7a57d646a72a8d09ab5c4f7e28f764c6c4ec78d89a2edd6a07748170f26bfaa43e2b8871291c660430fc706bc9e2a187aebda0a9d22523be3 |
C:\Users\Admin\AppData\Local\Temp\pWogscgY.bat
| MD5 | 63c30d08be26c6d9556250f90fbf0060 |
| SHA1 | 3c2f7c5860122772216c2d0797417831160d5ec3 |
| SHA256 | 3c443a39eab449258eb19d212035885d242f26286e9f700ea7ff1732a86f13be |
| SHA512 | e12111982c18f4acd816274b53d613c77855e6dd7a2195e9075d1ec8afad8e13767ed7cfbb145dd3482183eed379af5b8a392c3ec21ba40fdeb2b1f948e54291 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe
| MD5 | bc17974d2ede7645803e785d14fde876 |
| SHA1 | f8a28b95291ce5c78cc86ab3439ac33bbb51954d |
| SHA256 | 68528340707c40f893eb4e40e0af71781ca85195b7a65e309a02a293f148545c |
| SHA512 | e868ee6031d6faf9c6d6c2d6de63893a382e9931e0161940360a1a09678bd906cf3d0b78df14efd34bec90fd4bdfc5198fb2db4f7983c15903685e68148865e5 |
C:\Users\Admin\AppData\Local\Temp\dUQC.exe
| MD5 | 3bafb2eeefb84af88e61cf6036db1902 |
| SHA1 | 18a8e7d584af78889e4b966d9343654d0bed5efe |
| SHA256 | 1eb7a6e9dfc0903f2e8c9b8284c27e065d1f948147ae5dbf75640a578fe1deb8 |
| SHA512 | 674e11fc8606a87c419f9fe3b9bc37355283ba4b41b5b75632b1c66e8f3425186532bbe1fa0eb4eb74027964a4c2f1dafcfe76a21cc6f18e72f05615b04eb170 |
C:\Users\Admin\AppData\Local\Temp\XIYI.exe
| MD5 | 8f9280a6629113100ce8c40997afff06 |
| SHA1 | aec220abe4bfb9db2891983713f24c43875eca5d |
| SHA256 | 833ca52ed575b0a101eeb13ec9c0499fb32e6b0848e3dfe3b06094cc879a5299 |
| SHA512 | 61f7ef607792d217831de4cfb42700b1829a399f2215dcce4d883bdecac849bb2c3ed1bf9b2568317d11e605e95b3e4dcc320d9cceff0530a09b6bf3d82aa54a |
C:\Users\Admin\AppData\Local\Temp\gQcw.exe
| MD5 | 9d25f179159fd1185d6daac9b69bc078 |
| SHA1 | a8a5343f77608b5360444f0b062d2d84b62b3e6e |
| SHA256 | e5d391f022f2d9bd6b956470de5210875ef6b22b35926a9508032d5801c16e19 |
| SHA512 | e0e035680edb11f3562078be77d00a4866c565c3ff20af924becb9688d0cd4705f2399852099d82e331ba8432c92315cae38da924189fc12e1c49fd50a06819c |
C:\Users\Admin\AppData\Local\Temp\zIAW.exe
| MD5 | 93a4a89d13e870ef8ccfb0104b53a81c |
| SHA1 | 912c54b7dc920210630f8d221f20c4fd4edf8666 |
| SHA256 | 0811a66d90256f221cfd06bf70fcc0b04c464e377f634c3fc501f91d95e65172 |
| SHA512 | f63d305d5c2372ae3975e9ddc8eed3fbd4b1338a9727eec9233523faf6280b3e4a8fe7a5907f19ae007cf44fba95d22ce483fbb3fcd3b6093bc19682c7c4776f |
C:\Users\Admin\AppData\Local\Temp\TwYsggIM.bat
| MD5 | 783647bf52d89944869c3f8370542c6e |
| SHA1 | d41f123232b064140e901674ce3987214e629061 |
| SHA256 | efa30a3252cb5edb49d439319f2ce62ea653a9b3e59fca5aef576abf40119810 |
| SHA512 | 033b1dd17150f584e2bb669e9519809351955d4bd2dd0cebe92553036e328526286b4ae054be2e963142bcd0ada889d2433b3c536114a78ff74bd8e1618fa8c1 |
C:\Users\Admin\AppData\Local\Temp\TAkS.exe
| MD5 | 12bc7c5043ba80b215e139d5e6d2233c |
| SHA1 | 6a7b6e2f248c407b3ebbcf242ce960a828f423d2 |
| SHA256 | f7e72bf6e65a45329d764ba68d4c4797db89432943bf3bc29e1f3791586e1f01 |
| SHA512 | 195114b09d40bd3158dd26b925733d862e10ea2968d45a6d8d5d1a3c2fe7bc741cbb7ba10a4af1cd345fdd78fcd04e7af185b839a90fb51074b809135175b335 |
C:\Users\Admin\AppData\Local\Temp\TowA.exe
| MD5 | 8cd7acfedb261241556c1eda467d24ca |
| SHA1 | eff97aadfa96d456293084958808c26ba68ab880 |
| SHA256 | 1194bbff43acefb24a8caf541ec34b1dbef705c6255843b59cd0da65d4148804 |
| SHA512 | 9d5a62d098c16675a7add7598ca6c123b366b946ffa6b51cdf8a4e3925255ef63eae4b4ed49d51a58173e146ad291ca837bbb403b2b4abb8f1ebb21a8150dd9f |
C:\Users\Admin\AppData\Local\Temp\EkkS.exe
| MD5 | 23541f6ac44e93d002ceb9aa4fa2d6e1 |
| SHA1 | 18c9f8441d07fae7e362736a9c4ca576bef9aacc |
| SHA256 | 968aea2fb760d6ea77cbbdb7cfe888b9aa801339b87525fb1f609ccc395877d1 |
| SHA512 | 4e429a8e89c6de5c4ef2038d73d597cda223953e056b75d3897247d446055d78d582414f183b79d875631f6c967610369b482d13d8e0c0afeaf97a8009a291f3 |
C:\Users\Admin\AppData\Local\Temp\dkQO.exe
| MD5 | 118c85a6b9f4043f07823058e67497d0 |
| SHA1 | 2250dc799002ca1adbc532c79594c0cb558be607 |
| SHA256 | df8d4235939d005c680342c72e5f0a3f3fd72b5c233cd844fd80d7fd59aa49d6 |
| SHA512 | dbbfc5f201293efafae2855021d86308f3f1788a29b405add5860a86ad063959131854a788a4ae2046444633faa0d2c3692a57d1326af62a4c48b1df830d404e |
C:\Users\Admin\AppData\Local\Temp\ScUE.exe
| MD5 | f7955237f56d4caf56a1580b1149da54 |
| SHA1 | 96a78634e1f770e4173a588ebd5d90621027ee25 |
| SHA256 | 958dd25da84a2c6cb994be72ab6dd02e22b66480563b6548ff3d59926e760e0b |
| SHA512 | 40c160ba4a49299af59db050795b3278c0d965cc96df38461d7ddb3fad7fe2592c21ac8bc21011c108d098dd65ea7acfaca767b5b30a13c769be4d336184786e |
C:\Users\Admin\AppData\Local\Temp\JEMW.exe
| MD5 | f78afed32d75a280c5d68eb6c6769803 |
| SHA1 | 2bdee80c2633d5f32622fd83c5b316d3cc6a3d2f |
| SHA256 | 8601b24d0c98d3ad222dc06d5e1b97bf8752342d19725f8fe31dd08ce8d208f8 |
| SHA512 | 37343a38bfa6bc11b2249411c7f29baec1d1f2fa7d5f245d8fa19fdec854e18349cd994ef70d03621783f9cc19952ced121e836f2456089ec75314736786c352 |
C:\Users\Admin\AppData\Local\Temp\SkwW.exe
| MD5 | 0fbdd152333bf036602f0826dc7791dd |
| SHA1 | cfb504523c052b38447b4e88be63b79abbb19c0e |
| SHA256 | 9a0587edf2316bc26f810c0916b80f2df8a9194deaf8a72ef9573c0efee0cbaa |
| SHA512 | bf4ef378bf1df642c735f3e3413577af9bd2e70e3706053b1dad6146d994b811750fd0b458b304e3c65dc7ab51a009f9c557eb9841a90cfa5df1eae6e1f71fcb |
C:\Users\Admin\AppData\Local\Temp\scUsYsUo.bat
| MD5 | e775c422620a751c3b88fc6c943b5431 |
| SHA1 | aa9f3aeb7ce12a08b9bb0dea9822ddc0e53d05af |
| SHA256 | a9e816313d669b6769de6981141762fb5d50453f8aa27f63504a92048b4be993 |
| SHA512 | 63c9568f48c9c9ca5e44ba40b1e69fae2afc1c4199b402652531cfd490af1baabaae66a4837ee312dc88d286ce8bb0b6a71e08c107ec8e1c1f824eb0e0388a69 |
C:\Users\Admin\AppData\Local\Temp\ykIg.exe
| MD5 | 79c0e79414ecc89a129cdf59d96db685 |
| SHA1 | ca8bd4bb45e299562ea42a629fe401387f28e642 |
| SHA256 | b509a0240ad5f719780b56f827cfb85b09d49775e1affcfa2031d73a62f0eedc |
| SHA512 | bcf37c5316a1227627957654a46d6fc577842691d094618bc280645d6ac1b190a41f70ecd7b4aece56fd17aaffb6371bdf8f24ca48b273a660bbec8be528860b |
C:\Users\Admin\AppData\Local\Temp\scYi.exe
| MD5 | b0d7fb6b2cf4e59f2b9da54c379e9f81 |
| SHA1 | 63beda2e59c2b127dc7c31cb40ae4b6961c1a96d |
| SHA256 | 0fa4755dd59b18b10fd4d5eaf76ac0e287b7e334db03d624ab39665939553627 |
| SHA512 | 69fd1e3011da3098a86ff59840439d666ea4da07f06848032baf5d39aca5ebbe9bc81b682e8fea7f00b458540d34812808be95ba9e17f8be71a9dd70c23b72c2 |
C:\Users\Admin\AppData\Local\Temp\ycgG.exe
| MD5 | a95c00aab5c77e9cf65e2906e8c52217 |
| SHA1 | c9467fcf86ffcc1c4f6b66da7a85d0040689829c |
| SHA256 | 7998db5cb141b8540505b754006155c5a440f4dadb4ae5d6c17f683000fee1d4 |
| SHA512 | c55c9341df893e86683eae944b4ba9d3b43d80ff29b42b2288f40bd8b9f2118a886507413eca04c18f639ca9a8666098d22d1b52400c48e15b5f9be1b2b3e841 |
C:\Users\Admin\AppData\Local\Temp\mcAW.exe
| MD5 | cda0f41ea478e45ce6cfc27351b18faf |
| SHA1 | a42e76404bc62d1f94a2dc7b22f78a70a5185ee0 |
| SHA256 | 5346bb4748b49e1d9e2efbe98faa260bab232fc0b4f4ae54e2ad048c4c13c5b3 |
| SHA512 | 7bc28a0a05ae949c1aee6df2b91aab2fe209039b87a3efae29f4ca35dd4c512b13f26ee17643ee4947e000d797bc0c6b8acc88334721b8a7044af8e3d79a573c |
C:\Users\Admin\AppData\Local\Temp\nMUC.exe
| MD5 | ad3603cae81452be28a1c16efc4e283b |
| SHA1 | 0101698c8f78e9c3f3d6c6b4bc38af6e5d48ea3e |
| SHA256 | fb07724be3db6e53a688e0f490472b099fa434455016b97ed95ea0179816ca1a |
| SHA512 | 40dce627a31fe8c858650bd3fc76bf6f9150c580fe23f8e7b879bb3f432941d269a287eddaef2e0b1824f3713254725d6243261c599d270aad79845ea303ca5a |
C:\Users\Admin\AppData\Local\Temp\hYAo.exe
| MD5 | 8a9191c655372c4136d024c0d1851cec |
| SHA1 | 9b560495825806065181a7b01079866e5e5d1999 |
| SHA256 | 2458f8607c2b07087a4ff8a8a6ac2989a1ab41745fa67c21cab6c096433b568c |
| SHA512 | 9bfac7b54107dab0e3708e0a4888957f197f967f21d40bd613c54448e4b7a21ea5de203dc1b250be5b6dede72930dd03a4849c3ff740883f3262417b9ca88290 |
C:\Users\Admin\AppData\Local\Temp\CQQq.exe
| MD5 | c14fd575c71f7ba03c1c66b30311d5df |
| SHA1 | b949821d15d1beef3494aab6aaa66d04ac4bb1b6 |
| SHA256 | 1a72cb354f32a20a805fe5b210512157644a9ba300d7c455c34482bba1cbbcea |
| SHA512 | 9c701408acfdf073ab6905abd4848c81b28d3340e2847a92417f00147365fe45af0ae7e259e5391501c6588c1d2a46df8ac0a6165c2469c1b807e9c66aeade92 |
C:\Users\Admin\AppData\Local\Temp\nwAI.exe
| MD5 | 9d09e2c44d6225a70d04149e4963b342 |
| SHA1 | e896a3a873626ad05b4d79984b01abbdfc10138f |
| SHA256 | 817081f8a0ebc282ce378ef508487dd7b4b042359eb3d96565009b46dfdb3bc7 |
| SHA512 | e5e0b9767d1dc69323613ca38ba2f15d23455334980d55dfd8ca7a8024e708af4ae1d9bff7ea4445e6ea2b934e5180385c2d4340011fa94566392339b14fe6f6 |
C:\Users\Admin\AppData\Local\Temp\reEIcYgA.bat
| MD5 | 847945df0a6e5b9e4e33cf2660a2922f |
| SHA1 | f88bbe2779bbb0d85c48a595f64ccb52fe6ccc07 |
| SHA256 | eeb74eef7a541f8f67dff5bc4356d39cb9cc1e047569b3a5897082b3308461a1 |
| SHA512 | e3670ec3b3303c2d0722916552a09e141d027f2062d5199645e2fa389badd594e6a0f70a63501164c3ddb8b86be68705877c46da90797b8f9a3ad4530ceae28e |
C:\Users\Admin\AppData\Local\Temp\ZssK.exe
| MD5 | a309a1343a65d58bba3322b1348fe88c |
| SHA1 | 2e4d5c498eb964825d8669371c4ad1ac2beddf77 |
| SHA256 | 60ca36d5ec35255e37e03ca01bfb85d06e318e97c5af9ff3b87c5021245f5853 |
| SHA512 | 85a72a74ca0f6dacf84cae232bde0e900aec66cc25eeb330e9f9158e6190f78ff8c6c94a3bb55732de26f902d19583d75f61e38ed10224d8bc4b2eb62dcdf977 |
C:\Users\Admin\AppData\Local\Temp\vMcIoUYI.bat
| MD5 | d5dc095bfd5fa8d437f461d5d5cb792b |
| SHA1 | 257626bbaf2523095d477bc4f50d0496e57a707d |
| SHA256 | fab63cc07c2ad118ffb06f35964a736811729506c10c23076bc6dc375e163128 |
| SHA512 | 6acbc7ed12ca3b68c22f61eb1cd0b5f8e95ad8648d19de88dc4c5526ed5e01d9df568f19b124f080f9f2110f87153081a222b45e86a128cc65f7155b838286be |
C:\Users\Admin\AppData\Local\Temp\AEQu.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\QEoa.exe
| MD5 | 74916122b453d443108a5b7db0731fd0 |
| SHA1 | 76e41d4fd69c8df6125518ad3e26b0aab3ea7f12 |
| SHA256 | 2dc87f2388df7ba4691cf06119b8eebef0001d7c34aabb46d23963b40425c636 |
| SHA512 | fdb9a3ef4318e6e5fa7a0b27453c027e9d0693c57df761bcce9466ae7f61243b04897d6db95fe34f12a30ac7d990e72a0585dccb2ec2ca0c169bcabda7b0a804 |
C:\Users\Admin\AppData\Local\Temp\fwEC.exe
| MD5 | 125d829e76ba497dc0a5f43f3462c4c2 |
| SHA1 | 673af13692dac05e3021ad3efbc3e93f4d9c9fc3 |
| SHA256 | 3c0c11c92241d30698f696c5fd2d51b6a9049351a6c81356535e859acc4610ed |
| SHA512 | 56bc9bd4f2e00a177bf88d47cb04d80f88bcd13af1ce134adf6920a0b6dad488512d3904c2cfb04936b10aa7edc02ddcbded02316a7ee820cf22905262ef1c2e |
C:\Users\Admin\AppData\Local\Temp\rEAgUgkU.bat
| MD5 | 2aae3818710180043b5d467f6b22c4a5 |
| SHA1 | 53cadb7a535fa82742945de1424ce4a7368e1723 |
| SHA256 | 7439a44ddf5b6dbf00900cdbc039b1decce9c5791dfb92b26dbd43dca354f07b |
| SHA512 | cfb48810c07232eff4c792b484935007a273e88aee392628bae71554a09546f52eb9c3f90ed3974bd5b23b64c1a0d844338c6b37f6f607d00365c858686c9eec |
C:\Users\Admin\AppData\Local\Temp\ukUgoksI.bat
| MD5 | 5e3d6c7a4014cd2c551e4fdcc3d8367d |
| SHA1 | 7e6301e9ac0dcd15c64b96d015b8afa4b90bc0a0 |
| SHA256 | f84417d43a8307ef3f3bb3fa053b59c51673d68b404478e7b8d989cedfa8192d |
| SHA512 | e17881b2816b0f3f4032ecf02736a9f39555adf08d2f262e78b6f32713db290172e2dc0c86e8afd77b194ea56968f4e5983f2e7722b0497a76bf4ee086c6c244 |
C:\Users\Admin\AppData\Local\Temp\cYEc.exe
| MD5 | 22c3477902291df4d140e2856616ee1c |
| SHA1 | 64c5de6e5a7e385e128344648d634547fe3bae7e |
| SHA256 | c5a985b7233a12788e5b518212de75c418a87f601717da14977677df41e8249c |
| SHA512 | edfafcdd3b6c85e07d105d7a07e00b1d15adde12343e0cc456ec7d3c46fed9f18dcce7ba3bc7d79e7d320ec5da0d07748ba9271260af8cd4e7fe7a2cad4d43f6 |
C:\Users\Admin\AppData\Local\Temp\zksc.exe
| MD5 | 456c81e3c4fe8f413281b7cfe01a75f9 |
| SHA1 | c420eb3ca6da28c85ae291df2b142c4a5e9b9557 |
| SHA256 | 3e7293b6658485ee42f14f4c7441382cc13e981b07ffe9cec68db6686f10ce1e |
| SHA512 | d0694908ab1204a292ca83ef7f4065bc5b405b164925a44d58e398559dfe6718b59068d5c275888fd5f5ff33ea0dae3091575e4e7f4e8f26787b6e3cef72766e |
C:\Users\Admin\AppData\Local\Temp\QgQYkgoA.bat
| MD5 | c3f35409604a0ce9e9590f66a9a0b15b |
| SHA1 | 4f61c7a3abad8c80f53e9b14e9846844464f0747 |
| SHA256 | a66a31cdced435b74d16c10a16b3de4a148974a1fa16292163f67651c3d69b88 |
| SHA512 | 55ecd50e3e6871ba810f196e9c4190499b481c92b73258ca343673a2176ab1b8ff29cfc83b4723e80abd47f4d518235a7990631851de21f9fb9d8874919d02f2 |
C:\Users\Admin\AppData\Local\Temp\JCEEEMsU.bat
| MD5 | b1d32b8e98b11fe9903601045d5aa331 |
| SHA1 | bf45da78f7d8d5b4b8adf400d0ccf937b6a85916 |
| SHA256 | 4801170db6619e06ed6bccbd50ac2903db1b50ef77ea462f54589234c177573a |
| SHA512 | 57a4fdbf7a45e6774c9879aaa86023c9fb5d333f67c56a7456f6f2ffb7769840b6a2ec7b33a4d424633b5dd1dd276de0367e55fccaa2590335aa6a0818da374e |
C:\Users\Admin\AppData\Local\Temp\YCoAEsIk.bat
| MD5 | 9f1399da875025bd43092835f0fa0dbb |
| SHA1 | 2d13dc9953b22e2ff1391c39d584df35a61b61d6 |
| SHA256 | f6038f5d6ca8f352aa6717aa9d70a57f4575aa04aaf7599e8fa1b817d830dd02 |
| SHA512 | ff8e23c24ebb10fcd2cb8c1ca47c37e07b10ff45db69a970aff59911e03d5620ab5d14b38946d0a4eddb6c311c7212ac4881f48482711ba8e5073b733cf78071 |
C:\Users\Admin\AppData\Local\Temp\hMYocMMw.bat
| MD5 | 71053c291cc643f59771f88c8255fbd7 |
| SHA1 | 6291723a456e922f73186291eacc97eea6b50887 |
| SHA256 | e904693cb5fe48b9d6e33797e702b93e49bbccfcf89ec3e70525164b5106634e |
| SHA512 | a5b588e4428239c1a40d4776857cc9da7c55a68d82d00dcc2c6761506da7a8292041248ee2919a190000b335540950a9a36baf8151acb94e393c582701b0b015 |
C:\Users\Admin\AppData\Local\Temp\oOUYAIYw.bat
| MD5 | 32f4b1eac1c1939df16a1fcf50e51975 |
| SHA1 | 309d7dde13f4b1bd5573ae4a24ab1e0bf72dcf61 |
| SHA256 | 90860fc87e8980b96cb92a142a23e3b75be416447faae0c03ce202fa6c1daade |
| SHA512 | b151f349260b0b46faac2715997116183bd486e68c40d2aca467889fbdda45c5bea54befc2ff0816a93f9cd463a3742d26c905140bead1c0e54b721f83651433 |
C:\Users\Admin\AppData\Local\Temp\WwcIEQoE.bat
| MD5 | d9c5453aaca552cc33cb31469b2f59ee |
| SHA1 | dcf108464190636e9a484482d91fcdb4df63d502 |
| SHA256 | fef8e112aaa50d547998b2cae00576982993e6202bdd3741330493de2775a308 |
| SHA512 | 2fa78a932764f531ac0664691e39e291c1ce22fe3f15f5e0f7c1ad21d080ce9446d9799a7696bf6e07a343503dab2f89cee05aea78b8117758f1f90e09825d6d |
C:\Users\Admin\AppData\Local\Temp\RWwIAcsM.bat
| MD5 | d76f1d779929ab0ae93a0c9b34541bd8 |
| SHA1 | 87ff84df8bea36648f5fbb72f1ce71beb96b11a7 |
| SHA256 | e0045e15e1ff9a3cbb9c2e10c1d16e5119d8ebfd3b21bc849bcdbb5d1916cd7b |
| SHA512 | 09c5ecdf5f105c6336cef9e3df50ab2e154d56a95acca84a25463bc5cdbf7e155f8a245b6a359d751a9d1420855a9765f1eaf546f40f3e4bb132f1ab8e890308 |
C:\Users\Admin\AppData\Local\Temp\NSAgQUkE.bat
| MD5 | 7247da99e0b93b004b610d42dcaa0cd8 |
| SHA1 | 103823506bff952efb5e4096cbf33c99a756a880 |
| SHA256 | e7824d113ecf3ddc63ea00d62c76a1df0d9e45fc7da5fd19fb697c852947295a |
| SHA512 | 209ce54e1640a4c616465d6afd87dbcaa9c157bb3a4e57f223f910380f51fbd62776c382b6c4131efc6ded31831bfea9c1ba21911d0d0eed8b01359d879e1ae4 |
C:\Users\Admin\AppData\Local\Temp\QssAsIkw.bat
| MD5 | 0f1e5ef1db082f57e0a0b5213a148745 |
| SHA1 | 9aaa83b18c0a3f1cadff7a0f3393fe12e8ea091d |
| SHA256 | dffea5308afd76d69c31a697effc28335536af1f3a7bad60611cb96bbad77583 |
| SHA512 | ec91057fd496fbdad2d7460c5d34300c72914adc62d8710bf36be940e8311388f56f288f76306c1fc81fe72cd561d13f344d8b233ae2f9fe99a130bcbf981916 |
C:\Users\Admin\AppData\Local\Temp\lUQW.exe
| MD5 | 218d9691a45172436db759ad6ca09af1 |
| SHA1 | 9bc3df1a30d6bf449f5d6755dfbb3fe47ad299b4 |
| SHA256 | 00ba8090725e8b44de51401b63cf93611b78681bcb296970fb8ca820a6664964 |
| SHA512 | 935179d39cc173b87f8ef3135fb620cfcb034c1bc77a8a737eddde3f27d5dd24d322089e295be9a6d36dd750e3af9326cd33ba2e7856dd9b9edc1f3369c5c814 |
C:\Users\Admin\AppData\Local\Temp\cwIA.exe
| MD5 | d232baec6de266705c07f41544c5b869 |
| SHA1 | a1224a92af133fdf0a9bc45167ae3c322b7346a4 |
| SHA256 | 6a48547c1b23b43de4a444bd14db5d19a898b8634e8f749db94032391d3bca05 |
| SHA512 | 7ccd61d31c475972c4d87b3264b8e86360e8d4ba07c922bdb48f13b914a0824237854936624741f45ce2611bfe506103e89f259d5a2806fec051fb47a2c77302 |
C:\Users\Admin\AppData\Local\Temp\RMcI.exe
| MD5 | 6ca845ed334b543a20d5d19816637ec0 |
| SHA1 | f3ffa48c4126b473606ed2146104557c8d03dc80 |
| SHA256 | 149548e2dce96a7fbe40f1d0200d4d993097a944c345a9ddcf4aa701026eb0e3 |
| SHA512 | 80d405705a1c43cb26c334d8592df3c23f686a3efbe87b5592e6b17b83aa4de8f48ab19419090a56d3477881523377b7d9067607111513df1eeb5cd5c8ad9b3e |
C:\Users\Admin\AppData\Local\Temp\Fgwi.exe
| MD5 | b6af77b9d3b2db9205f6194824ef5a5e |
| SHA1 | 85cdf868ce1563a4bb52848a25cff444c9cbda8e |
| SHA256 | a20ec55e22ecd3020b27f16495095a5a9fe528404461359a54841f387ac3f7f5 |
| SHA512 | 7af68e79abe0b31e083bb8db5cf0d63ea91ecef22f00a5d65d64c3d66ee5de6ba976ff69fca6ed9200426a676956bddc240de0bb4860537c76f9ac02a4425a00 |
C:\Users\Admin\AppData\Local\Temp\XScMcgUU.bat
| MD5 | cb6be4d16c55f5319a49abecb828c602 |
| SHA1 | 3c90976afc564f0deeb8d6bac83220cbddc4d949 |
| SHA256 | d4eb665474dcb2a00fc982e0eef619406761becf2f6f6650df12738611c0c78a |
| SHA512 | 942470ba31f9b1648a9e32d54141011b84bf1e8a770733969b69d1ba9b35c08f57b411b42e92286641971b8569446bc90cc0212ff2ed5b38a90903d395bbaaa5 |
C:\Users\Admin\AppData\Local\Temp\fgsU.exe
| MD5 | f170636a41fb199ae42eb3500b55ea74 |
| SHA1 | cd2c9330fd50f901391cdd9f938ed8341a0dbfa0 |
| SHA256 | 2e2d2abeeba2f5f6ddb2268e03bd75b7b288c0ee7651a68aebdadf89299ee057 |
| SHA512 | c6b0cd0ab219bac91ef44a3d38c77071e84406fb353ffbaf4acfdab30d81695dcba4f824b98a33e46f8194d934685dd081450a1c9db7921e79db0948916df5ba |
C:\Users\Admin\AppData\Local\Temp\icAk.exe
| MD5 | b808ae702a09e7b8d77db62ac411ab63 |
| SHA1 | d95611e9e23807b117d5475438f4af09b8af80f7 |
| SHA256 | 55d893469350f6aec94af2eff753916f99167365245336d5b6290e266a19e199 |
| SHA512 | 330bfd0754c84cc45a73946862dae853c2ed7ec204ca90847d4d22eb24a4e2f9b9868e62e299996002618abcfc0f5db0fffd15aa8d81fb90584004dbea61c190 |
C:\Users\Admin\AppData\Local\Temp\JKsEIccY.bat
| MD5 | 43276b9b436b8abf1f07b6b541a4ba91 |
| SHA1 | 78447ae5046235551be9214b82c0e96768df9f3b |
| SHA256 | 6b61f7f05af020a6a917a7eaa96fd649753614a05b668cd7d197262f36e51e32 |
| SHA512 | a8839d22bcff8e268dedd905997992216e69402ad63a677aed82b5eccdb1d7b4cf3e3c374c136cffb07d4f03ecfb8d7208eff88317cad106581dcdf2ba34347f |
C:\Users\Admin\AppData\Local\Temp\VwYy.exe
| MD5 | c47ceca6fa7a8fc7705bb7e85702d663 |
| SHA1 | 26d169828e082ab8fc64f295c5c8017c46deaf0c |
| SHA256 | bf0bb92aeff1a51aaa0746d1766d6e79e7f54dd3c8c617fc9ec5a9b42160483f |
| SHA512 | 924c56b4ea22b21cbb45d4c63a81ef2bb89e2a303ca7297700392d685b04b2a1aa54f7aff9d0a4ee2cf9ee77a53b6921ec1dd1f65a556b23b251f1d6f38a4440 |
C:\Users\Admin\AppData\Local\Temp\tssC.exe
| MD5 | 65c3a5a51a8fef5eaf92512b0cba7b63 |
| SHA1 | 258cc2f88c517099c353bfc18e6d9a61b1c7caea |
| SHA256 | 5bbd1efa193961c98f38d143970c231e1ca156cd1e06e636c4f4f79b0668f851 |
| SHA512 | 7a216bd9a9f960eed0f4d13512c9ce4d1fc28238b7b0d0908548b53dc147dc36ced794dc4e8f0c79a58d738022277c9cea5714097b4f22e795344a9fe4d4541f |
C:\Users\Admin\AppData\Local\Temp\BgMW.exe
| MD5 | 756a14f5b1f164e2c5377b4853e6e1eb |
| SHA1 | d9c44f5393731d750fa843ea6c595a39ed073cd7 |
| SHA256 | 4a037f23269e3c6590118fc1c3d879c61ab17023330b58f7bf74820ecf9ece47 |
| SHA512 | 7f3c45abda0aefc49bb7f6cad11046db6caa5d400541be9876db6258ddc08c683a2ea69a6159ff031d6ede93c7ccca41edd7d9c1be552c241a7f0f633959358d |
C:\Users\Admin\AppData\Local\Temp\jkoe.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\wIYscwQQ.bat
| MD5 | 5a7ecda1400ae953c1cc7ff416d491a3 |
| SHA1 | 9ddf463fee00ff102f1abfd1e34b0327d7d043fb |
| SHA256 | 2e817f65265559ba0307e8bc1e59ad1ec6f04fa4e74f6cf8acd9910b9d802630 |
| SHA512 | bddad4b72ce0b9361e26cca0f4fe0515710100208192110f6dc865d32de3be71a9de603cce217fa73959fa0fd95b8d5c841ffad31a23de5f5c165d948f43a62a |
C:\Users\Admin\AppData\Local\Temp\loos.exe
| MD5 | e4ad0a3b540a7d178799c897b9294e64 |
| SHA1 | 21d4e93b5141072b8b32a310707d129502ae9af4 |
| SHA256 | 080b9010cbbb5bd92bd3a059cb13e43a9e1cefea15eff7b588db891045ac357a |
| SHA512 | b17269eb6713f29a1b3b870115e3915b1d9bbf87e43bcf39b79b23cf777a1a2354087e4f7a1f5645be2ac27628311f38686edb816f37a697d18ab943bc979b1e |
C:\Users\Admin\AppData\Local\Temp\YkQs.exe
| MD5 | 3ef02ea41335b476cff9cc285d9a6b9b |
| SHA1 | d4a2c427537c1967fa70ad914cd06e30d3b946a9 |
| SHA256 | e255431145e8e2e14bf0f9302ebb93c40ba82ddfdc9429bd3d4543cdee255025 |
| SHA512 | 3557efdbec46d668c95769b5ce50a48b2df942b05817c7f0ddaa3a54eb96b2b6454bdfe02d79b73f75629d14f85a65d174ad4111f1440e6207570d46f25b3c7c |
C:\Users\Admin\AppData\Local\Temp\AoAK.exe
| MD5 | 564a4263cffeee0306fdd3f06b46609c |
| SHA1 | bae84f560457640fa4a4ee3b8be7ead16e742dcf |
| SHA256 | 410b0e2fa58ad9a6094d5fbd4fb2286b3eb8c5fb06fd84729c247848089edbf1 |
| SHA512 | 423ff14578b8237a2980521b631e6f82747a3a4f5dd3ba0e4a4aaf750e16179a77d5b8586fefd11501dfc50d891bd1bc4b2ecbe932430e3eefd00eb9671c3309 |
C:\Users\Admin\AppData\Local\Temp\mcsk.exe
| MD5 | 1a60ada738038d94e84783febf6b1c13 |
| SHA1 | c512b545182517d62520a36bbe2092a7a972c189 |
| SHA256 | 8c19fcbfa6a784d0493d3d64b0c7f8308e5febdbf6743bf927a5f5e87e5a4cfb |
| SHA512 | e22ac44e1feadad3b820065dc074db64f77c388169ed9636a8a3b74e8481a3abeed6d6dc31ba7e38878cf2d1ab44fd67ae238b4d2c0a271a54d629008a637ce4 |
C:\Users\Admin\AppData\Local\Temp\Hokc.exe
| MD5 | 75077b62291c2c7ff48db026fa5cd689 |
| SHA1 | ba5e179a11bd8a115d9ac04e03092d0f8446e99b |
| SHA256 | 0f5d6948dec869b03390d6322a50dde9045bad1204e9fd05305d4e13fbd19b72 |
| SHA512 | d341a10cebabe32319dac2580aa257144a298f38b7563aa734e5523cee1ac7211ae6663342cef95ffdafbee95c07064e7b89a4d0dc29f61d7e2f4cd63fb15379 |
C:\Users\Admin\AppData\Local\Temp\qsUE.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\gaQUAYsE.bat
| MD5 | 96adb89666f4206fb06691912d14ee6e |
| SHA1 | 62fc72b6e7890b849232317a361d5df3ed5f07ce |
| SHA256 | b9e284b4115c4d2221c138091204300e9121c698164ff191507f5c700a199b82 |
| SHA512 | 018677023bcd4e2612b7a97a67b663bdad2748bc178d6a2ec564ccc1b9e23e44e8ffdbd5e9ae314937d58d486ab5314aa00001a085bd599cf82564cc96a12322 |
C:\Users\Admin\AppData\Local\Temp\yMwm.exe
| MD5 | 508fc9e4d146a9bca75e74cd902c994f |
| SHA1 | 38cb14c6a06979998e4256821b3a6348af60413c |
| SHA256 | 8c320a8a220605d9c7c2f23b8102e419a08966382cf076d27ebf40c3950b88d0 |
| SHA512 | 65471af08fb28a39bc8191e9e2ddb6616d183655087320ef367ef87b4834394f771cd03f97f9243d6c67619100f1410d1118728fe2826cd79f4826fb255ad688 |
C:\Users\Admin\AppData\Local\Temp\ZMwo.exe
| MD5 | fa98ffd6c588a28ff9d2bea77d8e3001 |
| SHA1 | 3c87db3d1909bd38b9b1fab706f8b2cce76ce1cb |
| SHA256 | cc37e413757d3dd87d46c9094b07557f0f99f0980def8b412eb8474a596fc5b4 |
| SHA512 | d5a9252b2cfd9bdca16d93e8114aa1bf7eab1d3a3c402eca57bde61b5ac1a90c60063a521e9b0d70e83c9772f1a77a4c38156ab47df0bfe33bacf037fcf31c28 |
C:\Users\Admin\AppData\Local\Temp\SUky.exe
| MD5 | da82ae624a2022aa20b4cf66afcad8dd |
| SHA1 | 5a98a288343ab53c5075a35d4657ad9110b64242 |
| SHA256 | e8be48c293e0b7a6e816d633ea3131c0ed51dcd53a01ec05224148dc6af54d79 |
| SHA512 | e60602196b39ad3884d2e7eb825af49c618ed264621a7cfb30856b7c432a82043974d89a0ae13a5d84f84e09f20f96aba9125b522e0b23d6406a07beeb308a8b |
C:\Users\Admin\AppData\Local\Temp\FwIK.exe
| MD5 | 358f761224aabeb5e78e67d3e8a2430a |
| SHA1 | 30924275c1346d90250abe6941dd95b67f8889b2 |
| SHA256 | 6ddb236faa30ea64638532b418735b32318619ad9c17aaf49b6d1196d2c1dc93 |
| SHA512 | f81a1c332149c26f9774a35e68a13f743dd5909182f7f7701d00020de2172f8741f92a574ddfdad66da95091a53128f8110f111a63aa1bc802efd54fceb29a87 |
C:\Users\Admin\AppData\Local\Temp\lMUY.exe
| MD5 | 040f91c402d2bb41988482952ae18fb9 |
| SHA1 | 9147f615d221d26fc0edcce2e2b98f92adba4528 |
| SHA256 | 29c6d9d76ab8d7a8a992cdab60b4ee52615da6618ffb8cb8248ab1fa84c75b71 |
| SHA512 | 1e922091069e7e07823ff30792e9d3cc61fae7f4a220dd2ecfb0a3fa0910f42be65ce173acdd8b7d851411ec8e7ff5241afeb8e8bb2e3fad4a6d32d01b9f0f26 |
C:\Users\Admin\AppData\Local\Temp\kywwMgMs.bat
| MD5 | 731316dca62fa1a5c5b9300e97e396f8 |
| SHA1 | a686f804c6543cbad9f4144b7218121f001bb70e |
| SHA256 | d7de21116e31d461efeb1407c0f8a86849346e5d6f508a2d5617b1efb98df29b |
| SHA512 | 4466091eccc7fbdda3d00e6ad56c17817229d23ade07e06107f5738089ee32535c2c91afca1561bcad25b19ad4854c54ef30bd9c5dbad51d928ef57e420f7c93 |
C:\Users\Admin\AppData\Local\Temp\HkQA.exe
| MD5 | b9ccd1fdc331c2c9e940810bba29d036 |
| SHA1 | 54a8f934105c4f53508ad3795839fdefb9a454c3 |
| SHA256 | efd00d04b7aee82aea68968e161211488cecf146cd62ed5faa3c633a815f600d |
| SHA512 | 8629b512b3cb3776116d1ab597f7f95aa24834a37494da55367c03bc44269d2fa8c17ca39584dbf4ae047d2f24f0098890d16105446589fbebdfba4df596f9a1 |
C:\Users\Admin\AppData\Local\Temp\nsYo.exe
| MD5 | a6c494370b02ff66967e033add9a2002 |
| SHA1 | 937262a5ea70e09932372ab7a54fd9b5d0fabcdc |
| SHA256 | 339547d7d677e3c4e97bfaa4f7691659b116d5564d8e5c186a4f4c5fa89fefc0 |
| SHA512 | b0e205aa01e8540a2aa223bda683accc14deb4841e17039c42c6ef8613dd1f7cdf47fc19f5e670d41b31aa39e2c737b45f1d74d021a0cd08f38de04adf3a14ea |
C:\Users\Admin\AppData\Local\Temp\RMEi.exe
| MD5 | 903a37a5360926e313e6e9325669d819 |
| SHA1 | cc28eecf5f298efcc24a50ad4cd0f9f19426c868 |
| SHA256 | c74b31f33cdbb9929f8e6e21653af5836de8de21939852a83e0242e980ed4e49 |
| SHA512 | b8cd6b2da6467cebf71359ff527563b5f1b557f3824346c2bdbd60f9413d3a51b352625d5fb01301fb32ae9545b92b2c263ad79a7f4b775dec5090565325940a |
C:\Users\Admin\AppData\Local\Temp\hWAAQUIs.bat
| MD5 | bb0982485a3f9250acc56dab1a6cec59 |
| SHA1 | 5a009178c85d9deecf671b52228d89ff83bdbcdf |
| SHA256 | 1de2ba8184beb1efc027d7bd7dcde648e177e34e7045ef3eef4d6cb9567a2d3f |
| SHA512 | 35e9a55e2e4aadd1e750d00f97213072e840cbaa1368b500c801262358b7b0191f6746ae7907e8cecf18225f9aa0ec62004431b118340a8441d7c1210a061c69 |
C:\Users\Admin\AppData\Local\Temp\doAM.exe
| MD5 | 977c1285a034dfb6535c631ef0c726a9 |
| SHA1 | 47c43acdd6a5d675eca573a35fc9451ce3678937 |
| SHA256 | c239d1a87dc863479ac3e1db193eace142bf2b12f72927338873c247eb925a31 |
| SHA512 | 02a0dc5705d9499b415e3df1cbf0223fc54607491e31c9880e9fc963c2adaf2112a0fc571ecc1b3874e30dd86af34d87de408b550b11d6ef8570a608b4426260 |
C:\Users\Admin\AppData\Local\Temp\QYoy.exe
| MD5 | de5a24c5e9d13c46aec3545cf7161438 |
| SHA1 | b4e9e94847830b79523b6e5fff919bd99ab03740 |
| SHA256 | dd7fa3ca53c61738a4cb615a3e6a0c3d2d198fe9a0e79f140f6b10a5b3f13713 |
| SHA512 | 93424e268806abaf0c44044029cefaf65d42cd75443d6c7faffdd9c2f2018c13b90aba99dcab2aa1cccf644a27ddfbbc899444975dd817cdc93abbe9f85d74c8 |
C:\Users\Admin\AppData\Local\Temp\VcAI.exe
| MD5 | d1bb1be552055514299e968d6883efbf |
| SHA1 | bafda77c2f49136b87c7d7814487287ae797987c |
| SHA256 | c76ce2d44b3edd41304438656f2163c897ba2fe761691fddd55d7b5d6129f067 |
| SHA512 | 871685c1a8b954ce188f2ec7c320091c00618d1af1620b31ee56575ba66358b71e0e5a08d8d595aeb351a4451e7da54e288b1c5f62e89f8505d027b54c3d4215 |
C:\Users\Admin\AppData\Local\Temp\cQws.exe
| MD5 | 3a62c4280c6783196798d273fe50e1e1 |
| SHA1 | fe3c507556fce7dc0caec31e173203a12d38bd3c |
| SHA256 | eaa4e77b247bd97cb9c7ad5625896b5e160ea6aaf5ab80dd88ac5ea0d007c84c |
| SHA512 | 91bd685cb2b5eebb6a99fc9524cdcd142156bbf490c6c33a53cc4eb1a4588e1918161520cb30dcab6cc1c1f1d6a2a8e091095fc939af2db7880df3706fddfa4c |
C:\Users\Admin\AppData\Local\Temp\rEIo.exe
| MD5 | 3965e51cf5ae2c501a21176bc3a310e9 |
| SHA1 | 09dbc772630627e637ab36652009a8fe21c9fdda |
| SHA256 | 53fe8330221139dcf029b32fca7be7d13f22416c3676d71f4ee6fe4b7645f9c2 |
| SHA512 | 56950c12a6f3ed7cfeb7d1a5ad426a8c7db79f1aa72f531c6434b6a3680426583c82c27bbb196ed92958895bdc4d73feb417258fe08374dfe7699e62d5e3b5c2 |
C:\Users\Admin\AppData\Local\Temp\Ncgm.exe
| MD5 | df7825b927639aff8d80bae3b78bd991 |
| SHA1 | 4cd506e82e9dc4835457f0d96a178e3584c07af2 |
| SHA256 | 415f2fc6e0edb3a45a5854c6fafa8f85247e9973976cae51a4363a68b089db08 |
| SHA512 | 24be8d4fe82e142620b29162f82006735e1d94ed0930a378fd6eb7532094ea378f423aec60a7423732f65c71f9872ae510a514ac0e8775cdbfec87df58470d92 |
C:\Users\Admin\AppData\Local\Temp\sIoi.exe
| MD5 | 0402fdd0a7516dbb2c329a5953a37c10 |
| SHA1 | f21216a2fefe6028f741a2ec26036ffa90d39129 |
| SHA256 | 5a2d9b6ee781fa2404f68c1eac04599a2ea6ff043e6e203d812ccd06e6f32e45 |
| SHA512 | 2f0765fe661b762db9fa8426ee886d2b11139f5e9f410110bbe3d9e9f1067842a94bf988e7e40752dbfea6587b02dea2706e53d78d1479b1f8033d48c85039fc |
C:\Users\Admin\AppData\Local\Temp\PkAY.exe
| MD5 | 27bfbf125acb81bc536625940b53fa0a |
| SHA1 | 5d0e5e3088ab76bce10fc51b5ff3c446c8d6abfe |
| SHA256 | 5438f3c6f63b10c8597c1229f9d21672fba53c67fa8737c208d77c243b14d8c6 |
| SHA512 | 374d8c61040b8951ba567285896aae728f866b2b91484347208eefdb34900573ee35393f9f2fe0e4a286100d9cbac4e7bf23fd9a971b1653f03f1705dafa76f7 |
C:\Users\Admin\AppData\Local\Temp\TMgi.exe
| MD5 | 3743d684716996efe9cd0edd4f012e42 |
| SHA1 | ad169293f113e2ba026c6370112c0cf227c29c43 |
| SHA256 | e1d499161949937277a66598bb08c7f54a8d54c3d01f243507922baf44e1f8f4 |
| SHA512 | e80a66ab970ed5a34d3abb2339c0ae12bd6ac628bf28556f56c401f8f3a26418651a8aea3c46ab4ced3968a16995ada315506ac237e8d6bc9c3cb280a80fb721 |
C:\Users\Admin\AppData\Local\Temp\YMUG.exe
| MD5 | 044bca5e02439bc642bcf181bca05f10 |
| SHA1 | 0379c6256522228158a9b80ee23b53a9de1c5c50 |
| SHA256 | 3122d46f2dfa91716733bcb7320376abb7c5edc4a4afdefc7fcaa8d19aa9ec41 |
| SHA512 | 11bc039b4b3842a39162041a31b4cf2d4749a652752bc9b2a0fab8d363c209cea4beb64c753571214eb1f199511536f59c8162142fc4738590b523542f30827c |
C:\Users\Admin\AppData\Local\Temp\hoES.exe
| MD5 | c5dd2fd4bab90ec446ddd5cf48e7d944 |
| SHA1 | a79c47954666d9ba68f2130214113d13e2bbe6c7 |
| SHA256 | c258398c47394e1f694a47ff706d5bbed4aa46e8a0f043e756a096b9d1a5547f |
| SHA512 | a80f36fa1885d310354aed007f1b062b99388432e94a26210a835c1b40f79ac81c8b568fbbfa2ba6e6125a6ea22ce4f0292cd37a746d9f1dda1af0fd0848e03e |
C:\Users\Admin\AppData\Local\Temp\mkUI.exe
| MD5 | 5e14273ee5a294009db0d11eb86a03ef |
| SHA1 | 113da0b44ebe43d6a8d40bad8763660fafe2afa9 |
| SHA256 | 432bea7443bd822e702781db9377634e989d195bbdcef637e4ea747e5718af64 |
| SHA512 | 31a2c4fbcee092b4f8315c737d458dc3258385c10c5afc377377de2148715a6fb1f0a04b6b3d2c24ce79794e4b21e76c160e2dc348c95a0ac8bf0fcf217e020a |
C:\Users\Admin\AppData\Local\Temp\RkkQ.exe
| MD5 | 8b5466ec2f64d343a3f11189d5f60ee3 |
| SHA1 | 9d09cc3833873415574ad7ff0cb38108f7e1622c |
| SHA256 | 1c5391e1fcc084ee64522470aeb1ec2be4300603f9e1f4102ad9417ca68d971b |
| SHA512 | 3f7b0d4e286527846e14d28179b9848aec0061d62222a94b42f0eee087d95ce8fb6f5b3267b8d9851ece15b4db31d00a427767b033abaf5780d74c8357584d2b |
C:\Users\Admin\AppData\Local\Temp\aQAM.exe
| MD5 | c45ba821835fc1bbcfe4dffb2a0fa95c |
| SHA1 | c463aa837dc66282da66193dd7237ea33d8b2453 |
| SHA256 | b8618328ee0a6571d8378699089477f0f8a2cbbcb9daf5c1bc511fb06c9e8ca8 |
| SHA512 | 68dd0e5e94d5ab6e10742824d08b804c198cb7827d9648c199c24cecf84c27f6bc6065d34f66c6ddbd909ba61ccb30be8befba4c27245cecba1731a78ba93a4f |
C:\Users\Admin\AppData\Local\Temp\ycIw.exe
| MD5 | e84409e375a236e765d0f11a9331f273 |
| SHA1 | 2358373bc90465aec90b935d37ef322027070b03 |
| SHA256 | d2eeaf464a0f2af710207a7020d9a148cd719baff789d407e1b51410b7217d5a |
| SHA512 | 40a1d8dca82fdd3749cb78901583d3c974b3557bccf59ee9891b1957e34d517be369adfaaf5d7a876338880b90b10578454a0de0116baf4839d26a141b6a7b5d |
C:\Users\Admin\AppData\Local\Temp\kAkI.exe
| MD5 | 90fe680679bef8487509fbb382d29057 |
| SHA1 | 7dd92d9bfa3b734c9294a3f04b5e9f7dd709802f |
| SHA256 | 7ea741dde028b0918ba52418cd3f13869b0154c1f76d65a2ba447706c36c68ae |
| SHA512 | 4082a8ac8376223a634432f79b878cffbc158a81b08e450ccc7dc25407aaa62a58eeb8d6c85b90db81fec91ae1b8ca46e8184eb7b36e5bc7199d737f22039b4c |
C:\Users\Admin\AppData\Local\Temp\RsYO.exe
| MD5 | fb0fd87653fad90221197c84ec8b1fe9 |
| SHA1 | 2fcdf535c6fe62607db5238464fa7ae03bd90bd9 |
| SHA256 | 1d9230a919d8ed6833892700896655bed1ad285979ff6fc383a235545f6680f2 |
| SHA512 | 4457ca20dec9d48e703d72898a0648dd773099013a3923fef2537278a61e0ff85b32a30e0b03ac4ca6fd1978085e5d029ac3668dc93957090539fda0e6ac7e80 |
C:\Users\Admin\AppData\Local\Temp\xAcY.exe
| MD5 | 43ea88582678f47ce74295109419bf1a |
| SHA1 | 058327a7697268100e741c19f88e08ac82ab6956 |
| SHA256 | 695c103cce36d8eacfcfb9edf27f909ffb57f0fcd8de2328bc325e917225d791 |
| SHA512 | e344fa793715b6c4286abce59c1e2b0c852e0e953b19e1da2bf0216d39b6c982077d30467dc3ce3a52dc3ec463623e5ff75bc13aba81626604078c1f7e1b45bc |
C:\Users\Admin\AppData\Local\Temp\kgUS.exe
| MD5 | 557d07056c3eeeb8d5daaaeddf229169 |
| SHA1 | b47402f1eb4991257563599b34a023ef4abd7609 |
| SHA256 | 90ae1c2594b8ff42cef48ff3b289c5d275ca8eac123ac7ea729ebf78aaa51e38 |
| SHA512 | 66ae36fc018083765385a6c560687de83465c78764819ccf9444a4c0ee269c18e855b6ebaaa0cbfb9d1c8f2f1cac0a1f47209baba6b1ba792b3f7c3a70c8c27d |
C:\Users\Admin\AppData\Local\Temp\wIIS.exe
| MD5 | b49e1c724a6aa65a98fc2c1479a8c021 |
| SHA1 | 1e91ef127999f7fe5504316ca992f377513b2466 |
| SHA256 | 5763ffe2c84cde4be2176ff6677ee569381e27f72d8980e61128a77cf6467b48 |
| SHA512 | e50502da303b69fd90d39d7f7c7653491467f2a8d32d41a86238c9cad530d779b0b42630b54c24698b18583a12f285cf238976e438bedbdb27763c160300423b |
C:\Users\Admin\AppData\Local\Temp\yosU.exe
| MD5 | 52a75fbeb1209b2c6e60b75dacaa57b0 |
| SHA1 | e14abcc7372c1e67494d891bb5d16b95a48b9b17 |
| SHA256 | 11b25809c20f50ede89e57fb1320ec438fd91d887fd6d54a7ddf8759890fa6da |
| SHA512 | 0d18ef403565ba296cfb3536655c8aeed59b266b8474870526d1d4eea5973d07128704c67e039aaaa90af41c0ed0b196443650859bad4ca221ad541b4bc93605 |
C:\Users\Admin\AppData\Local\Temp\FwkM.exe
| MD5 | e5e6f247df7a12dd09b65a8eec7ce99c |
| SHA1 | 748123280ca257f4ddbfa22f4dfe183f2e6ecb89 |
| SHA256 | 0ff25eec18a9891269206cd22ea8610ef8afd211dba38cab9b4bb9a1ed8f2ff4 |
| SHA512 | c4d727e7aba78376c60794b7205a45647e234b19431085baa94cf1ece7e67f0704b00042150cc8b4fc1a30b7ec526cd92be7045801728c3ea9c9c3b369cd7fd3 |
C:\Users\Admin\AppData\Local\Temp\PgMq.exe
| MD5 | c9a298e2e1303a8d68a6bcde05196b7c |
| SHA1 | 886a2ae5267e5917f38822d18dc5104315a713e0 |
| SHA256 | 6411cd483e88361e05e226615704d1f7b41b302e587d0b1984c5e3c85454503e |
| SHA512 | 265a4d29d474f297175316873f63f163cf3d3a3ab1a7f95dfe6b2888c10b2bea65f6cb325bc0c367787dd2945d04ecaac01517aba1f44f20314fdb8985f53231 |
C:\Users\Admin\AppData\Local\Temp\HEAo.exe
| MD5 | c2da55ce2133b8051bc6a885889bdb23 |
| SHA1 | 8a2cbb49e8b53eaa9e4f6d5ab2b2ea47e9d7369d |
| SHA256 | 53ea44019fa21b502a382e5b05c43747df845d10e5fec1caf2fb2e135865ad3d |
| SHA512 | 24efa5399c45e5eab02e65076163774cf8bd0e4e17a40d169e65a336668620dfdc917fbb86e92a5e6010bdbbde4d814bfaab4494afdd2ae92c5c77b571713fa0 |
C:\Users\Admin\AppData\Local\Temp\MsAY.exe
| MD5 | c73fd7815c8ee929ca2033f3af810658 |
| SHA1 | 48387a6d90b323ed23762765b07533d5ba731fb5 |
| SHA256 | 17ff1f6ad7a271e4d82592bcfb4de047cb30fa0506ed372b139994a2cc2bf184 |
| SHA512 | 4550d235603da07e26531aa5b484b2bb08f3e04e6f65d607a75f9a276e2322d9e16728c15629ee28daef8bab22857710cbf48a91820ef18f82b673cf792c3e00 |
C:\Users\Admin\AppData\Local\Temp\jUkA.exe
| MD5 | d530dc5f18428acac52fda7d350ea5bf |
| SHA1 | 8bfec836c0e48f39d1cec097785094116c708a74 |
| SHA256 | 296dbe8d6c73bb45d0b761ae121b53f206e4eeb74d3656d90dc1da9fad8284fe |
| SHA512 | 0ed82d0b85c34e73648f3b54f01e787798ccdf70430f6adc2b95367906e8b9cf5e1b4f5bd0f97b1b6355aba9eb35924a3fd3f3184b91d269aefc643f9f5796dc |
C:\Users\Admin\AppData\Local\Temp\ZAsM.exe
| MD5 | b02721f41ad59bce5e6207d2866f3b13 |
| SHA1 | 3582218aa281234d79a0470517f4c3ffd8be67eb |
| SHA256 | 7b3c991a41a5a0dbb8a8d8f4ba008040d381827a5e762d30ac74845eb2683604 |
| SHA512 | 544f66ee2b087ecfe2ac7bd9e0827464351c7c9569fbe99056a282a593f811cbdea9fe542ec6d37968b80623df16fd87ff9f328ed290c4e81819fab4c69cba05 |
C:\Users\Admin\AppData\Local\Temp\IQMu.exe
| MD5 | ee0a8ecf184902965a19d9a2a34159b4 |
| SHA1 | 869ca210e8b33d67e82a12a95728c58d411566ff |
| SHA256 | 9b473a994bddfcc155903700c50c0603215ab73378b7a09e819ae4bb475ce725 |
| SHA512 | 46866ea277135d874fa88f3c43703d232fef24806a5ad952fa5ffbff0a62f0306f600150fc39692b62aeb285ad564472e021f4bd0e85a6964b87fbd5bdc1a992 |
C:\Users\Admin\AppData\Local\Temp\SAcg.exe
| MD5 | e6bde3f071cd8ea8f2c1c456d5d05793 |
| SHA1 | 9d53d1dc542ac55a1598603efa5e404064a2b28e |
| SHA256 | d1cf1e15c44a130d869e839887848884c1d790ba1f9cc40773a045ef7a7d3e4b |
| SHA512 | 84cd7fba68c9218e0dc658173318ed72cedd1996a408b4b86a43763e42364e4aed6dcf87206bcc154d4854dbf2a872ccda1d905a3e9f8da52493c3797570d1bb |
C:\Users\Admin\AppData\Local\Temp\QgUA.exe
| MD5 | 875b4dd0d6e1c298073f1fd2c3b68f68 |
| SHA1 | ba706ba51f2439e4fb507f7ebb7ac0a52ae02810 |
| SHA256 | d29b714dfb5230610934f2512c396fa2bc46a01d2796a57a895cabd87ec2e162 |
| SHA512 | 0ce37e25f50bbc61e203b64338fca180194d30861e9093360e3a2a5c16bb01aa1b7aaaec7e843a9693ecc37040139993be2b4f407d5ba40fea9b2b04f184bcbe |
C:\Users\Admin\AppData\Local\Temp\SwwY.exe
| MD5 | 2016204b2f93448949f8712682bd97ea |
| SHA1 | a1b99c8ba777a4e6cfcba977522d826808932ce7 |
| SHA256 | 48534eab8d476080468cba3895d41d0f9c8c30265323c16eb5d53c40710eb68b |
| SHA512 | 125cff89257dd5fea51b59a942f42ea4f6c0ee04f1c3b2923008387f5638748a92db7275b25fc2acf9005a559f61a249bac77e19e4dc5977e9b4fd181b4dd8ae |
C:\Users\Admin\AppData\Local\Temp\yooe.exe
| MD5 | 865e9c81755a2cb033a68424675eaf62 |
| SHA1 | 09ccca9aa347a57c6b05755d95f10cbc922c69dc |
| SHA256 | 914cd1fda4f80f1f3827e853bd05c59e223a894f56694922ac9644c81ad691fe |
| SHA512 | 9a08132d355754849a08b1205cacbaad59758c18f36eb4d1ae46dd1fe0d64e25fe1748d168745b584ec692dc601dc99ab58ed1d38de7e27a081fa2f4db1ea533 |
C:\Users\Admin\AppData\Local\Temp\loUQ.exe
| MD5 | c7e15c6180dce8b48ead3697a65a0a49 |
| SHA1 | cbc9bb06c61dfaab2e08aa0940a619d4653b5fe9 |
| SHA256 | 8c7dc70119687cc67636f47c0481f56cf987eb2bc917571e7a6f4cd77dbf8df0 |
| SHA512 | a9a61583a0510a8a1f7d52e02efc25e469bf082fc1ac2330714c2556abfab2c95e0f033902e0b98039d3deff3b92c48072d56a83051194aaa36783c88b03163d |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
| MD5 | a482a44fcae19b8f138b392a9102cf2b |
| SHA1 | 3fe27370825c93482f89d2c59a9d3df6d4a010d4 |
| SHA256 | 1028b7ba3adafb05029c11916100c0bb1dee1b23a8d2282dc526e661003698a0 |
| SHA512 | b9435e0b6631ea06c00fea2c05eb698fd02345d67877a1007a3065bdce4db2521a5929d732f2f7d4bcc6fa597fbd43470117001bc102bc0ec317521f5a19eed6 |
C:\Users\Admin\AppData\Local\Temp\fIYM.exe
| MD5 | a90ce3559ac3fa64a1d74d1a623fbcfe |
| SHA1 | 2c8d617e68c751df899c5ea16371bd1ea06353d6 |
| SHA256 | 1a55527307f97d79967fddbdab5d14ad90844f0fdc01225690129aed47da0097 |
| SHA512 | 296491127584a13dd1843d48fe22e5bb001251244ed7ac036d85ad35e743596cf7168743c4199b409967ff050bb56180990c8c334d65ba0da2208e1ca77b8fa8 |
C:\Users\Admin\AppData\Local\Temp\rEUc.exe
| MD5 | 9cc22918a5cd3ad50ca75b1ca3893970 |
| SHA1 | 559a2f9a2e2345b6e5f9c6a0cebaf3d1aef5d45f |
| SHA256 | cd123d663c765ad9a301ac474ab764394bf375a8d0dff3e030af9393bc6c211d |
| SHA512 | 730801c6c2d2db87d5cde8a2f364f3d147b7b81385443c4357fa6a6da2b999ae6f2fa95f4c7601f0bd0af894e2193391313782fca362c135a12dcea25ffdafda |
C:\Users\Admin\AppData\Local\Temp\nIYU.exe
| MD5 | c64e739c962dcab3e4bd1597ee30784f |
| SHA1 | e31357751f2e021c7bed6e4a750b7c1d6d77bee3 |
| SHA256 | 6b44a998c5b7a7de4191fda937a0c42bab6d2d0e782d8cee712bf29e943b2f27 |
| SHA512 | 90ca309b84066bf6b919094e424ec1f76a2f75483a46c2449bc6a992b36c68b5f08b8072d580bbdded9ae191fb11341badc58a121001e5c17c7e6378c18b6ae3 |
C:\Users\Admin\AppData\Local\Temp\tksg.exe
| MD5 | 04eba3674ab0a99d804d82f3ae370ac1 |
| SHA1 | 23cd80e58b5178947a9c6aaac42c23298d1f40a7 |
| SHA256 | 8f1f751299d4f8ca873e3623b9b3e7d67d782ade81ca3975041426f44faa8465 |
| SHA512 | 51b0cbca22fb7f36dcf044965313d28f57054311c7a5842db1a2b6ba63e2e662857752bbe4947de9c3a944e88fb3d93b62eec11afdc716818d22cd3a4d9863b4 |
C:\Users\Admin\AppData\Local\Temp\CgEa.exe
| MD5 | 43bdb92e48c1cac0654e9cd554ff156c |
| SHA1 | 1f8a1252443844feddaaf99a7d437f5c4f4bac6f |
| SHA256 | 0ccf13786b2cfcb3f3b379f586ca64d04c881c832f956bd53d2ca2478c324076 |
| SHA512 | a8745c5b0528de4f4c5d71ea6d6c52487bcda6f405ce8f0cef9a95180f6f9015141d00f9c684a3608dd85025b6768b0e073f678c735557278a8d0dc90896e845 |
C:\Users\Admin\AppData\Local\Temp\PsAM.exe
| MD5 | e977f5ade0fa0be6f982421f1cd1e3f1 |
| SHA1 | 91805b5a73126eb94b787190d34e5fd532e34fc0 |
| SHA256 | c677784211b364281dcce9b21672128b0a14ec97bfae8de0a06ab05b5ed5b54d |
| SHA512 | 13cc12e58890879ddc0365e500c061fa65d12c788c6ace73fa97150046d62529d18905ef76d4702ab2cb1bb315e17b8b336f201c2833ca371632d516043225f8 |
C:\Users\Admin\AppData\Local\Temp\bAgG.exe
| MD5 | c98569c6f691d060c2eb6910231ed879 |
| SHA1 | 49d9ce80a14283c29de1fbe6cdca1d79eacf9063 |
| SHA256 | 3f2cec56eaa13a9148a49029ff381bb3a8bc17fea331359268ccb46a3eb9cca2 |
| SHA512 | 6dd60b37beff1e52b9bd23df5401140af443cb85b7d38349d576a1e898b9e6c80c15f25489465663c2170188369741f204aabb5bdb7af8dc607c174e23b5d20b |
C:\Users\Admin\AppData\Local\Temp\yYQS.exe
| MD5 | 19e882e808f67438b0a2d46d35bb4487 |
| SHA1 | 9d7aff5aad80f9db837432673c84ee944600fb5e |
| SHA256 | 9c889d0a7bc06d405f6bca6267da4a1c1d7ea326dd10310355d68aaf43f938cb |
| SHA512 | 913779ea3640b04c511cd3f1a305c6ea9d4fde30708698edc33a152164f4eaab5e4dc9430e57376299df820d1975effca75c984bc1c44ff24070041d04d022eb |
C:\Users\Admin\AppData\Local\Temp\bswM.exe
| MD5 | 35e33b4e417a0f32f19447d33506d840 |
| SHA1 | 9da6e35e5207ef85fb1c8de385d35aa3b879a6cb |
| SHA256 | 39d58c4c7e309a0fb75ae9e7fd7efb0924cfa4957ddf02d721605b8bd7800bb0 |
| SHA512 | 88adc2e546d3075403311074aaaaf503546b6368fe8fdcb179c82410ec5085e7dfde024b1406a97fe536424008b19e25a1b8308c32103bd7a8c62bdf75b12423 |
C:\Users\Admin\AppData\Local\Temp\NskK.exe
| MD5 | 7fd9fc55d83cb24afc92eba01f617787 |
| SHA1 | 664820a9e59e5a14692155da28a5452615b9353b |
| SHA256 | 7b065fd8f3f2ee316b4bdfd3efc97b481904501beb9f5b5836c8de8cb07f1103 |
| SHA512 | ead3c9346fe770eb00fb244ef79c443a8914d3babb86f169deeb5cf0b513e2c22aedbe83cbfe9abe9424d4d942f58db2495de4c6043f5413a26f2033fe01e51e |
C:\Users\Admin\AppData\Local\Temp\aogq.exe
| MD5 | 149146e6e30c0e0031dd41a6fe2a777b |
| SHA1 | 37a6f800df3684c62b419d71cc72cb632e869e18 |
| SHA256 | 1e3fd6454782b4896daddd7dcdd2f4c67acf23ebb4cc9baacee0d14430f7db1e |
| SHA512 | 911396d8c5ab5b04c78b32b7073f03f405ad6561c7d915aee81824b62459127f78bc6bd5c87ad004b783c12ead8f447f68aea4c0c9955d9c1174233a342015d8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:33
Reported
2024-04-06 21:36
Platform
win10v2004-20240226-en
Max time kernel
3s
Max time network
56s
Command Line
Signatures
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
"C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keggsYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCYQkgAM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omkEUwcg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecYYkIgw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwIQAIok.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUkEQMgg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\ViraLock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyAAYMEc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| DE | 142.250.186.46:80 | google.com | tcp |
| DE | 142.250.186.46:80 | google.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.186.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.220.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
Files
memory/4780-0-0x0000000000400000-0x0000000000432000-memory.dmp
memory/5112-15-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4476-16-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4780-20-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEcAYkow.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/3592-30-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4476-34-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ViraLock
| MD5 | 76e08b93985d60b82ddb4a313733345c |
| SHA1 | 273effbac9e1dc901a3f0ee43122d2bdb383adbf |
| SHA256 | 4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89 |
| SHA512 | 4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d |
memory/4524-42-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3592-46-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4524-58-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2112-55-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4216-66-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4216-83-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4048-91-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2480-95-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3500-115-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1508-119-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1840-128-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3500-133-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3472-141-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1840-145-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4048-107-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3472-157-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1244-165-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1768-169-0x0000000000400000-0x0000000000432000-memory.dmp