Malware Analysis Report

2025-03-14 22:52

Sample ID 240406-1en74scc84
Target ViraLock.exe
SHA256 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

Threat Level: Known bad

The file ViraLock.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:33

Reported

2024-04-06 21:36

Platform

win7-20240221-en

Max time kernel

26s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe N/A
N/A N/A C:\ProgramData\GkEwEMwg\LeUkcQss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LeUkcQss.exe = "C:\\ProgramData\\GkEwEMwg\\LeUkcQss.exe" C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUcIIAcg.exe = "C:\\Users\\Admin\\fIwEgMMk\\TUcIIAcg.exe" C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LeUkcQss.exe = "C:\\ProgramData\\GkEwEMwg\\LeUkcQss.exe" C:\ProgramData\GkEwEMwg\LeUkcQss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUcIIAcg.exe = "C:\\Users\\Admin\\fIwEgMMk\\TUcIIAcg.exe" C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe
PID 2060 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe
PID 2060 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe
PID 2060 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe
PID 2060 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\ProgramData\GkEwEMwg\LeUkcQss.exe
PID 2060 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\ProgramData\GkEwEMwg\LeUkcQss.exe
PID 2060 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\ProgramData\GkEwEMwg\LeUkcQss.exe
PID 2060 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\ProgramData\GkEwEMwg\LeUkcQss.exe
PID 2060 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
PID 2440 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
PID 2440 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
PID 2440 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
PID 2060 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2512 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2512 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2512 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2816 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
PID 2816 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
PID 2816 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
PID 2816 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
PID 2772 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ViraLock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2676 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2676 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2676 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

"C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"

C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe

"C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe"

C:\ProgramData\GkEwEMwg\LeUkcQss.exe

"C:\ProgramData\GkEwEMwg\LeUkcQss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwQwkcgs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fmgcwkoU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWUQwIsI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KGsUgYEc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VAskIgsU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NewkUgIc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fuEcYMEY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmQsIcgg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HoUEMsgM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LakIsUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OGoYYEMw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSockgIE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-492296468-520157240855047027-9227414-9851140481754915406-988628821-2026470237"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JmQQgocY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGMgUIoM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAoAUoUI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5156173961738984691594139561874395555-10992268924711553277771926311768202548"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUIUMoME.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1569121346651224441582234913-1685112369114609692153656802116765284512024842599"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qkEcIEQc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKokIUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOMMAwgM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rQokwcIw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LakUIoUg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1588369253-1345912685-1263044714319967532461027843458907734-1761838816379503419"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEYcQcAM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uyEoccMo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-539196148-2068934598-275619770-9427944301890760210-2104039239-729836679568651938"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-35423765911762779531529698428-5354485024407253468839695041945839030461420286"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZSkMUoMk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1459595686461350563-20074672694264215751526276-1342882392647525357515104381"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "148494731-1904350824-1760066680-92072367-304321142727257513-12437389991426898116"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WQwEwkkg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOIIogQc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGMcEcIk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOMEkkUs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "357666901-13189651017235824521431702618-132272699877408641958970911373530446"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BwwsQMkA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "104409430113797935571918285751-924637500-513078953134750908518193472818224580"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "113092886216609393072060759490-20030415113507844636344679271921826738772587917"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\piEYoMgk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pmooQEsw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-302133564-13093713181370759871-1475601206-1271269600205599963416180528871821856711"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OGcQkAsE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-55931130399752351-9954756601159350077178652437386806220212455701371641816930"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-975832392-1687381219-1593554661-150495926818641769331561091060-1872366850-1997677169"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIEMogYY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IccUAEsE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqIcwgww.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEsQkIQU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoAUIUUk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwAcMoso.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1049367637934743883-1341291457-615020262-2126316132-422872657469794042313482419"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGkAcgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\veIAwIIE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13565118306579515791678004867659579701-6856050751921308590-1446063408-841078952"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ekUIcssQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-829715464-94592849-37618997967090022-17130670691445591820-698085081766293379"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQssAMIw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20352956181083462144-1955851210-965323021-1953037483-3221042302043033248-1694265174"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMYcUcQA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyoMIoQA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1522477788821905815911575401858782078-896430992-1049408769-1995741950-72998539"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-369933239798673765-16380743332040155026-1647856486-1295913071-4220278412006613035"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGgkoYQY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1623136-122393077920050321632325859171407090259-17665466901901722039419285977"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tMIgkcsg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6727339811250022178963989533-9692183461503009746765536154-1308171807-2122303865"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sakEoUsU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9270136371956275951901776757412409109-8249800295973034929223470601727939326"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jeoUccQc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5557034291732236968-943680633-672111328-142572492215088200686575154787140139"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1514784377-87516639-4056001131684224129869600825549579704518179503-2082108206"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-274500413476930237-708457052-317440549-687158992249272568-445100581302525687"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DeMAcsUg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-422290690-1035401810288322776517810099078653415307464671559366800-140064372"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LukcgIsw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-993275417-18198544181331912154-1879859378-21094067691692985937-1851705353527827188"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\luscoUkg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-246947578-2055993374-813142502-1166165392-3273865072063807082-220229392-158232199"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1326078625-1924054381-84789583012296863351732205932858993821307932728379435719"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcsYoscw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1527379011-14834073215951770472536235811181156298508757956-1979125409-730816490"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1116643807-2098448762124474638-10861909059922068831537014381-5697422832099120362"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAAoYMoc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-228579130703726371-896631381-575098111257082176-298307780-2089595510-2021263701"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1115138641187840561-1451289638-891935937-8081861451849741634-19006453451164532781"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qoIwkkwg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1795538549-1805383592-950265324187644671543668227-251681875491763116230134653"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hOQcAYYc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAcQwMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMYUYcMU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "68824551339928706212480369671891387562130262144719377369111101354103853074034"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1383099955-1079632738347639194-1533690205192224112104096475118932868-1537126324"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1067526948-1951093793-453857408-2573610306143916301287833019463674430-701707570"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSUccUsk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11825852146970559821511362478604795258683356431564264615642168578142704036"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-450903652384060144-7002736151322191292-1149542934-12397267711140513918610410508"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGcoEkkE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IeQYUcYI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11970952821899184641-158340678588361701288368191616793586562505633121060056811"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pGcQgEMo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15314090941856660404-1638695466-1186688342206575514518886862651983625783988912378"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9510548931986138450-220136990-11006868062082981662118177356-774048739693350136"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYEMwsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "877701115-1067866782139868438-1104147970-551739674194342466-17190765501677021939"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1197013444-11401431912012806525-19953669151745667982-1842787464-84070094361262070"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1475252888-580059523-12214379512109458145-679766654-529581739-171777553293555194"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ikMcgkYU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcQgEEIk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmskIcQg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OigggUMI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwgMMowI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1351769391433364104-1405094002-720679705576329997486504687-17093540751872811035"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9399480561599439779-311444952832070421950307711-183483257-812075415160553581"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qSckEosg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20017941711165262937500216561-1533284649706089795-1795517044-5218907072118124916"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgIAAYoA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1685277539679078298-214282247178987073214679660386397470059104178342126366810"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YsAogcMI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-499361617-6147164441674081357-559725841-238350525-94232058114347559451217657871"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nEkEIMAs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWgAEocg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17297664937484569661937646591972774402-1478639568383840694175830563-577514957"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "21306911061187217709-167187882-85395002663025249918197853371053692860-1268858285"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCIsYogY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nygIccEk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18681617357171220528742803821260732276566209189-457446051363084601-1351119872"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JKQIUksE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CykIsowM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4422805321197445541987095830-1012142690-11001095361910720514-265099396-158537901"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11233284761851348472111485576918886584911766235520-190692243-10417244811933043622"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQswgAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaAIcYME.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkskQMIg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgskIQAM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "36192978497590759419823697192098970195-18776277101393765272-976766949131803037"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2822885171396303114954765824-11464691251821277234-276929829-510000586566865839"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMIMscsQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIwcgYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCAMUwMw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEAcwkAg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2041616396-1850818098-1401843934-137817090742137620-1547188281182519313-1710372856"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XwwkYsIM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nsosoIgU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCkMAYgc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1361702732-566012031-23517662-61954042686339561-1994034593-1751546159-1134885549"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYkIgIMg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qsoccoMs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-334092717-2054284460-10279898546216259432024185753-205892739-1065562031-1690485499"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1457774140-13389679281011716170-5912266511282478754-9908561011988951801786223022"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCAUMUIw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1126417798624040949161717802015954237-141678519017075470761725647290134940980"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUgIMgcw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYEkQMMM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TygAkUsA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1465199849536607354781214019-132813348313493625031124619341714578651-310629388"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-17985031931549229717-214084564287104263315355944491857731811957345752-1150299370"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
DE 142.250.186.46:80 google.com tcp
DE 142.250.186.46:80 google.com tcp
BO 200.87.164.69:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2060-0-0x0000000000400000-0x0000000000432000-memory.dmp

\Users\Admin\fIwEgMMk\TUcIIAcg.exe

MD5 9e255c28b665e2f662e1a76333ed15b7
SHA1 f5bcfb2e6b6bb9d20efff7e6f8d76ad76f621356
SHA256 5aaa8c774a9d0157e959cdab4b0e6eb9b03f52ec62adb240eeb3c51bc177363f
SHA512 430fd62c43ffa09a47588150781d94e81f100038310bcf95ce14d729e4aa3491167ac5094883fba39af181d18c5978cef7b786b563345815cc66a436356cad3c

memory/2060-12-0x0000000000460000-0x000000000048F000-memory.dmp

C:\ProgramData\GkEwEMwg\LeUkcQss.exe

MD5 3909857876215af3aa72daa540badeff
SHA1 65a574f43873be4bcf67d65aeb3d1fa8effd0bf2
SHA256 e65a4b72c3b7c2b8396c93359a247af5c673aa3527dbb19c60ee0288512f5fba
SHA512 17006e2fed2416d3334182daf14f9a370d0bf59f9b333a039931a45069ccac46be3517ce25cfb015b6868e95769a540e4ed3771246b182238cbc17b1277d26b6

C:\Users\Admin\AppData\Local\Temp\ccAkkEAc.bat

MD5 e4c8fdcef2adb37dce7c22636c16fb38
SHA1 d1527e2774412bbaba53e966388267900f9e2af3
SHA256 8b772f8c7e8ddb9af92d6eea1183c90c33337217bf4960237266e94c81e1a169
SHA512 f66519dce0ed5d4e22bba39ca351d323187e26b717c0fe3184ae1baf91b8847142b2bf85f5c56d796ea80c759ac0ef99e1c1b03bc5ab7fdbf5d4cc98fb271534

memory/2060-28-0x0000000000460000-0x000000000048F000-memory.dmp

memory/2060-30-0x0000000000460000-0x000000000048F000-memory.dmp

memory/2528-29-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2688-31-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2440-43-0x0000000000220000-0x0000000000252000-memory.dmp

memory/2440-40-0x0000000000220000-0x0000000000252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fwQwkcgs.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2060-42-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2772-44-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PiMkYIok.bat

MD5 b5fa856688c8ad7417d7023a5b14bce5
SHA1 8445fe74a184d7d4b5d21ee99382fc98e8666d66
SHA256 12a16d440caab35bc73cbb04b02f93262ab2d18fe81f32871ca1615e14a44942
SHA512 948cf2607235f26a23b9a56be8e0f3f87920a8f6dcaf595aa34cba4c0117c8cc0ab0c36c27326caa50dec6da4985ffa4613f98063c395b107e4c88d159c30d9d

C:\Users\Admin\AppData\Local\Temp\ViraLock

MD5 76e08b93985d60b82ddb4a313733345c
SHA1 273effbac9e1dc901a3f0ee43122d2bdb383adbf
SHA256 4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89
SHA512 4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

memory/2816-57-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2856-58-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2772-67-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\NsMggYMo.bat

MD5 e09b89bfe8d1d0fd4478296aa73b4b1f
SHA1 c3e271f397905330ec0e5737cc092a774ff30f4e
SHA256 246bcce1dd79d433347c23ce3fa15679a7167b8da5211e2fb87d4d675a8d03eb
SHA512 3e53180b0924ca56ee5df8371995293b1838f09c3cbb01b2b3801cc9d95c470fbfb61891ac8702c4d9ca12532285ccfde550776df5288c4dce3f99d866282a61

memory/708-79-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2856-89-0x0000000000400000-0x0000000000432000-memory.dmp

memory/960-80-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fqIcQAYU.bat

MD5 853413bed9fcb83fc49a24e5d7440bea
SHA1 f2276e9adc55922cddd72de67c16f7e8f2f02c81
SHA256 8c91b46e1af529a29b542f91a95203738d173a26cda946f82b374faf59f6ca44
SHA512 84809593419b273833e68b1f1809812c8e15db41c3ac34583656a5fbde27e68f5e3e546eb8bd2b6a4e380faa972c2ee058014360d8ff8ecfd61406186fecb5ca

memory/2188-102-0x0000000000370000-0x00000000003A2000-memory.dmp

memory/2628-103-0x0000000000400000-0x0000000000432000-memory.dmp

memory/960-112-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUgEwUAE.bat

MD5 fd722f3eaf05b90b9ac4c3a816873062
SHA1 94b323778f554429177b7519a0f625e8b335e701
SHA256 1b694717d34e76525902f770d38a71d02a1d88e6bac7c5d43e45eb55e2b7f802
SHA512 5cf8938e20aaf86cf1db0afaf408d91c60d692844eeb43cbfec3b0f73ba7e196f117e4810f79ffcffda8f7226d407f4705ee6cbeae2adff94c7d7169c02aa207

memory/2628-134-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1928-135-0x00000000001A0000-0x00000000001D2000-memory.dmp

memory/1928-126-0x00000000001A0000-0x00000000001D2000-memory.dmp

memory/1716-137-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AacYkUwI.bat

MD5 90aa1511a015075e7e4bb3beaae9f0aa
SHA1 dc8839cf858adfc80599670dc90525801623a416
SHA256 41e400fc30ad57af9313c2ec27b2c373fda274ee91f246abb898679c8bb6f1cc
SHA512 d6225821a883efda5ad6e99b40613d021c5b14bede9684eb23ca6586ebb5ed18a1bf4f03cd6406c606ee2ee85b35417820f1e7c1d55e8b960b441f3372769d66

memory/1144-151-0x0000000000340000-0x0000000000372000-memory.dmp

memory/1428-153-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1716-161-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hKcUcgEM.bat

MD5 a89c5cb67857c3c07929ce62a7f74c4d
SHA1 01d0d180c3c3e11c56439b49bddf64727097f6d6
SHA256 45a6fee30c08b48e19c9f207630394d27dd40d4d4ec7bf460587e8f3b03ab508
SHA512 2845259286cc7425454456a68f9ed56fd41b600c4111669b3dc025660f87abd0b57a633a5a327b7125e8ac850378d31c4131a4e0c7d7d64920232aac429ba978

memory/3024-175-0x0000000000270000-0x00000000002A2000-memory.dmp

memory/3024-184-0x0000000000270000-0x00000000002A2000-memory.dmp

memory/1428-183-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2976-185-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KCAYQIww.bat

MD5 7c68824c7b5244cb0be48b97884523a2
SHA1 352bdcf46d3acd628736f6721d9417c0e47fd342
SHA256 236e98684251214bdebbce108e456d4e3542ab00e43494abd375c6d096b4d1b0
SHA512 93035598895bbc07d1232d091f6b4a3e699aad33f6f0dd496df5ca492aef030d23a90de662438981317fba7163e754c011a230e98088a1b80d7e530c4ca0dc20

memory/2076-208-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2976-207-0x0000000000400000-0x0000000000432000-memory.dmp

memory/852-198-0x0000000000360000-0x0000000000392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yewgkUkQ.bat

MD5 06bc70689b1047c45d94fb8e66f5e138
SHA1 542205b2cc7851e96ccf5638eef29e9ac07d160b
SHA256 5539466e806a350341ca869e20326d5830a0b01d7267d339c0ce97886c1f556f
SHA512 32a9662b2c413e098a8f47ef72974d0e0e86d168102f56f7d4551dbf3bda687d83a78b729d1950b46a506cc658d9d710ad6a87fdf0c39fe55f5ee9b80627e0d4

memory/1028-223-0x0000000000260000-0x0000000000292000-memory.dmp

memory/1028-224-0x0000000000260000-0x0000000000292000-memory.dmp

memory/2076-233-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ikckMckc.bat

MD5 61d7fbc60d2910e54f48f94e053035f4
SHA1 26187a33b4c45acd9f10168d1b5adf4edce16e73
SHA256 ad91b5594608e921f210a758a66df719a39e3e11096cf56f5c31541569d7d3ef
SHA512 3f5c6a7c69420c356fb405674642973977a3aeee73fded55ca8e3180418f06174773463fe3cc5c9537964b3c4c1c99d8a1db6b6a5c308f894a73ce5eab25a999

memory/928-247-0x0000000001F40000-0x0000000001F72000-memory.dmp

memory/2536-256-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2900-255-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sscIAAQI.bat

MD5 f4b72445cca1a4d142df11408771d150
SHA1 7b9c62881b1e52407536da92569c07a55e059e3f
SHA256 60300ff8f18c3a0a1da5e190cd19e1e5b84f8a4b198805dde93e16af696b11ba
SHA512 e7f1ef6f249ae33b5e5caea93187ffecc7d26af6dd9da2236581da87f075cc45f33b0f3ddccaeaeed9d8a7ebfcdb6d5488ff9d3de2da1a5ef77a34eb4fb80623

memory/1628-269-0x0000000000270000-0x00000000002A2000-memory.dmp

memory/1464-270-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2900-279-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FKsscAUM.bat

MD5 8c5b64e5856a5ad19e8cd203b07e178e
SHA1 94efdcfe91c47169a9e304bf35e484316bc8c9f8
SHA256 0a659e2d80170dee798114105fc8a9c8985d55eb93108eeaee2fe925e9392f9f
SHA512 8ee5a9e29ff435bc8dee3ff6d140a437f0be411469302a8f8d078e4276d5978e2899ff1375b43f888c80c45b6e451ed80ac8a10db21895fddd2c000a421f32aa

memory/1464-302-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2776-303-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2520-294-0x0000000000130000-0x0000000000162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZcMwcUAg.bat

MD5 b8fd148529801ddca1f65f7ed6119cff
SHA1 49e7a7967cc122dafcf510664de6a3c7853224de
SHA256 574acf9ec807c17626295ea37c110180dda7fade92cf091cc3a7694519329e3c
SHA512 973d6200c8fab0dae11327987b5bc9f1ebffe3ae3bb3cf201088ec2b5cf5258c096a84a3e7890b42ff55d12aa541ee80b898d2cfff2bae3f812f01715d75b333

memory/1940-318-0x0000000000290000-0x00000000002C2000-memory.dmp

memory/2776-326-0x0000000000400000-0x0000000000432000-memory.dmp

memory/760-327-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yowwEEwk.bat

MD5 2ad9b2cc5234314cda5d2d0c0a136fbf
SHA1 58124b11734db41220ac69e4f7402a44b3d9ac6e
SHA256 97c2068015654310f7ce2cc3b2f5a5dbd8cfe35f2cec0fbaadccf1447045b0e5
SHA512 0ea2c45afe0655bee7d94908d6dc950e7ee54c47b3513a5782f7565e6c8bc68ed9655758831a43c174b3b0d2861dd5a21f82005876c510542fe88069d8e934b3

memory/112-340-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2976-341-0x0000000000400000-0x0000000000432000-memory.dmp

memory/760-350-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mEIAIgQQ.bat

MD5 1eac9cd522d3e9af45d2c047d9be40b1
SHA1 509438edcb182da7e69cb9b9443f56bd66000694
SHA256 f6848823f502e75da1dcbf308b1a56873799b279a8d1d530cdc06b297f483bd6
SHA512 0b2013575625a77eccf839b12545c9e99c3f0a39c65275d84f4f4c7f23b2f149a046c4cf467fd8269bc78264655836e237fe6c7f7edd3ef5ddbbfb805fbc6935

memory/2976-373-0x0000000000400000-0x0000000000432000-memory.dmp

memory/560-374-0x0000000000850000-0x0000000000882000-memory.dmp

memory/560-364-0x0000000000850000-0x0000000000882000-memory.dmp

memory/2504-375-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jKcQMIwY.bat

MD5 4720475fad77665e4de0d7a5ac3797d9
SHA1 6456fbf23f082ecd886ce7ba7e448f9903bb1f65
SHA256 cf453f43b30e82e1942dbfd8021c73ba193ad8ea4cd26272d4504ccc19acd1aa
SHA512 33c4afc553a215b7dcff5eb65d7a621680becabfa4419cd34c734314443f13721224612f794dda14ace68519c7b4029b4a732d323344ade0a58b678886fc03b3

memory/1100-390-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2504-398-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KGEkgMQY.bat

MD5 37eb4c07c30b4dc5edd7a47f2450bfcd
SHA1 fd965d4c409b4d58206b686df1b7a24b7bafd727
SHA256 740e69f20ea9e0de4887cca75130c1a1eea97e5e132d730649ac818fdb585b4c
SHA512 407f88574933a8572290c867e939af28566f0fabdd4b2fa7d6931efeb33aefcfd4be9dafc7998740089ec3b213630cf7b2abf04868e7756d37b05d27d730e0b1

memory/1100-419-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1764-420-0x0000000000120000-0x0000000000152000-memory.dmp

memory/1316-421-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EugcsgYE.bat

MD5 ffba40aaf91e1acbf2ed7b32735342f4
SHA1 1e6d6392f1cfd5be62a722bbdc317cd211a0f6d0
SHA256 7928602d299dde46f35afdbf667d0b6b14169d67d12a4c37d83597ce227a7256
SHA512 59217020c5b889b1f6875bdaae75d0ec8450de029d5651f9156ecef9fd152cc9fafd2204c691538767f05f48dae4640cbac862d5b05c0db919d6d42cd5489f61

memory/1580-435-0x0000000000400000-0x0000000000432000-memory.dmp

C:\ProgramData\GkEwEMwg\LeUkcQss.inf

MD5 1805dfabfa64eb1117182e4fecc58986
SHA1 b317b2f40c4622f68702c9b907b71bea372fbbe0
SHA256 0a358cd476d44bb6589d0103e5d9b1c4154a3d8c53b0a7c8d53eaef9bf733bee
SHA512 1c39e32e7b7a24396bb6ca12bc43636e56b37c94191793d96028da118a29425023192941f448a3be2cce371392c4d4611222e16cdc6bb589ebad26feb1c3535d

memory/1316-443-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\fIwEgMMk\TUcIIAcg.inf

MD5 a53ed9b7e6e576881d499a29822ae7b2
SHA1 bcfec6b18047d724ae0498cec67c324a6434d5cd
SHA256 ce751f2822537ee3b7448c8ee2a99e41ab4ec4e31760a4f5566fff4295eb7527
SHA512 0145a064b9d76ac516e63e3099ee61f0444b54be69f3251aa5999bed1c4076f4cd4f2c3c919eeeea5b7dee0ede2fbccc359c210512d9e782e28559f131312c1d

C:\Users\Admin\AppData\Local\Temp\auowUMUw.bat

MD5 0fc9fe667cfec1c84388584e3c6ebf9d
SHA1 ba241cfdf62cab1a28a8866b6069fe7bcc42385b
SHA256 fec390ff8553dac13ce4087eb2f0f64d7539ebe84538fc1f26ebf20a3c4f1422
SHA512 6e42e3832a214862fc71530224c3c203042517422e629390b1af8b18440921571bee7aca011ff86384fb8b0d4f55ddc61bc21eb2a9a6c7f207d9fbc42b95ece7

memory/1580-467-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1428-468-0x0000000000280000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dEYMcwMw.bat

MD5 8dce5f7d678fbe489814e34fe78bffba
SHA1 4f5a1773cdbd7ea806f0cd901d2be89364c2a068
SHA256 63c0d80e5572fb0b67f47b2d2fe9c55d322a8dceece02f275f5d53522b7be221
SHA512 c0f0cb85c96d226803e338712409cce6096aef593e40d028dc65b3583ec711b494b363eb2345431702e818f29056307992944d689907b6849e4d5ed2421c50fa

C:\Users\Admin\AppData\Local\Temp\VwEEwsUs.bat

MD5 d9cf8377781756a87cef4b23d37d6ee7
SHA1 9e5952bf4df490e0e961e5289221fd7c6e6fcea3
SHA256 8812227a8e3dfd38d05b0f147f38a1c4c817291e0ca28a7a08e1d498a54cd914
SHA512 137755555583b7ba3b709bff403ddd715623a9a3ad9ae7ddd85b4126d32c5cd794926d843364af5f818fa054fd734c7a4115d31d8e92fdf9c26041b800ccef44

C:\Users\Admin\AppData\Local\Temp\SiwIEcMU.bat

MD5 3aecd72771f1153cf4b4f3899946ea60
SHA1 79031e5fb303bd612c75898d128ddb7ae25aafaf
SHA256 817e666ffcd1a3bfa37bce2b24e4d257a8a2f366c680f010fa8722846af46385
SHA512 39092757a8e04376d7d9030e6d673e2f1a530ad5e8e54f047c9d452932e635c3775c99ad9334665d1ce5a427718c9c27d82d67a608322e423ece641e4c0a5f13

C:\Users\Admin\AppData\Local\Temp\sGYMAMoU.bat

MD5 1cd4485e85ea7b9896432078a177135a
SHA1 f246a65700a8e505896393fcf4fb10de2df37888
SHA256 cb83e5d12b8577f7e0a22351f20270e4af70709911a7903ba4a774e03509a124
SHA512 edc9cdd3d1c967bcbe92af87c105ee28739a6717f07b25dc99a4e14962e7f07f04d5b9ba9eeff1af3901b9ff86a74537d43619edc29138076355ba8ec738464a

C:\Users\Admin\AppData\Local\Temp\QcMIoUMI.bat

MD5 9eaf079d823e21dbc01da28fc80d0126
SHA1 9e5293b65dfcc4205e6cc1f4789ba7ace71fe898
SHA256 611fc7c1bccc3b2996b41f6f3daed67d7cdcc402d8eeb3a27a0b2f8f17d46ffa
SHA512 c30f13a999d514c93d83a9afcd25baec395e1282ce38cd6be4fef5602642ed7ff48adb73c69b82551116de9612cba585da98a0ce371039dda4dcfa0c57a0bb2a

C:\Users\Admin\AppData\Local\Temp\nWkIIwso.bat

MD5 248aa946bfcdbcd95917637f146dcfca
SHA1 0924f37f142674c5b3115381eabe7d4d43fd3729
SHA256 052bb575e052e79a80c6f8a874696d7b8e4e0d0d5d50b4424c04ed549fae2f16
SHA512 e82c4050d75f13cc18668ab2d6084fcc16cd167559dc3f23fe7787b794bc7fe19d7359bfb37b36dfa594ea81a6979b030145ca4e5a76b9df46066b60cc2315fa

C:\Users\Admin\AppData\Local\Temp\gYAEgAMc.bat

MD5 76656c73ba69f944f631020f19eb406a
SHA1 ca6ead4bc47b2ee0ef5495c1e6808592e34ccd84
SHA256 8b6509d1712fcf2cdd2e7d1e946320bb60ffba9182cff1fdcad473f1f6c1793f
SHA512 328be7999a173e14b91e533fb3fec36efe52a20a89b4534e6dacb4a8bee3d3a04e770c0c069780c444da0933125ec87f81139b8577ad9a165cc61eb9e6b2ccca

C:\Users\Admin\AppData\Local\Temp\bowscQIY.bat

MD5 e949ecf5e8587c27bcb9f7ad6f17724a
SHA1 ff5ac0b6df7b059b8e5ab877efe8b9abb0e275aa
SHA256 e8a796ff21e2011dbac34e4e31989fa2c789bc0e0e0b0428bba36c5c3931033c
SHA512 b45f6fb4cf93e302297cf628a03728a58617582e0159f20b7c160a3ce085d005c69b113b2743d7be4d2e0218804b86ef90965200524bcfc6c6a394b2a1f7e8bc

C:\Users\Admin\AppData\Local\Temp\nsEYckQQ.bat

MD5 7cdcf54d2a318a043b311bfcf5ea6081
SHA1 799e04122634d89bc2468a0c34ecb4f515e94195
SHA256 d8d4faf322784356135afd255237a94a109a9853a2a5620e35362524a1a78696
SHA512 592ac0e7802a16227cf4d3b2b95f0a3b768ef9dbf5b8da40f6d1eb90d7c5e857bd4c209d6598ffddc9e38cbcdee33e10c0dc567d0a41ff55a865be447121b47e

C:\Users\Admin\AppData\Local\Temp\dwUW.exe

MD5 ee7435536b1b9e0a9f97359082567895
SHA1 2d3bf383187d005aec0d19ffae7b45f7f3628c95
SHA256 2b198a53dd5574f772533c45946b4e5fef981195f648383e4a5f5c7e721fa08d
SHA512 b7c369e4b930d220cbc5f8f62a16f3e7d7492b90323aaf35a9f06a9eaa48a986bb8ba27f2f3dc300d5140b92037f1fb0ac500ca4778564cad702a3434bba3cbc

C:\Users\Admin\AppData\Local\Temp\hQAkcccA.bat

MD5 2a97a36c1bf939c82afdcaf0a776fda4
SHA1 50944cfd5d17dce56533bb6424f9f87c237b5072
SHA256 d0522cda57087c1cce4f1728aeef1d38467a7c5b4e26dca97fbb2d2991fc7468
SHA512 ebde1d90beebaf03ba361daccd6a5e2c868315901f9e423a1140ccdcf0a358b60d63835842bcb666a11c754a19c2ce74b1cd73ef5c4d78da388aa6246c354256

C:\Users\Admin\AppData\Local\Temp\JmwEIYIE.bat

MD5 0a30b91a48f736b85944039b3458091e
SHA1 a8b7e45f0b09339ff4b6c8ada9a9c914c65ec145
SHA256 00c01058b278f8a26f30331c99e041b8eafa6cefd67b26eb2e0cc61e745552d2
SHA512 f71c9a680ddb05e0f64b1cc69cf2bec780c2fb93b16f2616dc3e9f1314bd6d7bbb2265f351af68bd4e3dcb334dc62b392c6aaa82ebf270d3a58cd6764d7de654

C:\Users\Admin\AppData\Local\Temp\tikEYwMw.bat

MD5 0c64b43d3bf82cb6f90bbdba56b66153
SHA1 ff3b8159b6803e017cd295c2c1839f23bb0017d4
SHA256 a4619ddd9546acbafdf3bd8448d11170286a99995f90257441c79e17248c37a4
SHA512 80fdb9ce2b88fffbff3ff6a248969e375055308b166a7ad6dc76d20e9ffa64d270f486cb51b420f4ed3d44e5148c73513f21b1e42d84d58ff0f8a76f11017478

C:\Users\Admin\AppData\Local\Temp\ZuoEcsgE.bat

MD5 dd38058fa5bf94a6a9bc758901ee67e7
SHA1 5113c527d52707c8f35527e93537815165e684d6
SHA256 10f61a113a5517a8c81ad9718cbe00884d5c46cce57e664d740221c019f74683
SHA512 49ae378c71e99d9fcb327256e519f526ede141b097bae107ef383dac20fd457041e8824fde13b877201a99765a72b85aa277b52fa792120ec03de720056d2add

C:\Users\Admin\AppData\Local\Temp\ZooYgswI.bat

MD5 e88ca39c147451a657bf0aa5507a486c
SHA1 0e1dbe0f637b993ee8b2343a3481ef46f574e47c
SHA256 0b0abdd605ab4789ae7c70f0677b9c33e0594b6eafd0205f9edb03230ed75800
SHA512 e915300cd98062e9e46664952699a275d991b15de69533a4f84fef96efa3e79a78d4909ae3e30dd1a065534f31de9b3bd7e2199c486576b0677c4cb14b7e2e4e

C:\Users\Admin\AppData\Local\Temp\NMMokoUM.bat

MD5 98003f772d4c04f00564925998b4a612
SHA1 ef96cf8e9e76dd9592dc7889d841b8d32bb60e27
SHA256 e2032b4f4f956af8fd70e5c3a368350b7dc8b6454006f80d04979becb5093828
SHA512 18c7fd7433e187260b028fcee55d3f7817fbbb14b120917d1fdd442a472da516b2a212ff52e84b0b7c7621b031796c117e6df64791325e3423e50e7fd62f7e7c

C:\Users\Admin\AppData\Local\Temp\eAkYYsoE.bat

MD5 8a5a552255591cfd696dde93a97d42d3
SHA1 50bad31f0e6bac2907b15f3ceae66aa89a045fea
SHA256 d8e06f07b3630c36965ffeda7418c4ce48696213f5b9e8b68ec408b0409b377d
SHA512 be80866d77f61c8cbd3dc9e8ed04cb52a5d638c2aff9d517b00c365407beaa1a75b3d5b0bf8f3444abac02895ee1c88bbda1be156fe44e44a410984f32ae4982

C:\Users\Admin\AppData\Local\Temp\tMEMAUkw.bat

MD5 8e110b0f67dabe06a2726e1da35b641a
SHA1 12899603ccc9b4fc7d3ad4fac7a5db8971ed3ac6
SHA256 e92c0892aae2481748856200fe32472e22dda6430be7016f3d86e065d6f488e1
SHA512 39f4f68f5420e04541a074d3a370217467059d879ef05449382be8bc76b11facef8a3cf9a01aa3a5fe82754924672b43abd44623ec6b28fea46edfed415ed1db

C:\Users\Admin\AppData\Local\Temp\UuUsUcYQ.bat

MD5 65b151f566f33949fd4d76057da3fb9c
SHA1 7c4027bb285e5fd6a2c79554e07fa1f0b658c230
SHA256 5c34c25e7274c7c8f685f6081f8fc9c1422816ce2a6d5365eb45c63979cd631c
SHA512 c7a6117bebc0c26a434783e7bc84ba6bb9bbc016061d09c19e437d72ce1d4747394abbcea2c22414cb20b14e3ac8604887fb40486557afec848d7bc3c5156547

C:\Users\Admin\AppData\Local\Temp\zGoUAsEE.bat

MD5 3b51052c4462286e411e4572081e3f3a
SHA1 f2759f6de7f2f25763597c623b3a930b97d72168
SHA256 6f54733fed230a2b8757ead6e166b4014a6eb03f442f5887afa9524d1fc7916a
SHA512 3996b0fc30602a5653c0dad2121b22069b43805a5a8a15f8a08603a16dec9e9194420c7ee3339d6a720d8b3034257e69901e873b83814851944a8171aa30d48a

C:\Users\Admin\AppData\Local\Temp\XKAgkooY.bat

MD5 9259c8756b5200693db0153b7e30791d
SHA1 94b2bc27e340e2a72d3e023f735a48e66123ab79
SHA256 aab5caaace560ee72fa1d7b39cf698dd3a4fc42040ba8dfd225e8773db7d5129
SHA512 5c8e2f310fe164aaa7357659efb34f3c861960fceaee0e501b2f35f1450267b5de1bab1a9996c1591e48ab8992425a45756e73bd3d1d9bd27c037387b1bf8089

C:\Users\Admin\AppData\Local\Temp\umUMYAcc.bat

MD5 60ff1c596299c51d4c16f650cdff7338
SHA1 e25e3abbec7e1c0c795c27e244621d5921987ac5
SHA256 9191091ecd1d8f69a1c51391a15ef1e37a830c052066a9e1921e75d78945ed93
SHA512 369f9038278cb2a28397f07c7dcca3efbcb424c2048df466aa2fe25103bc5d3eb81f7d17be1efb631cc1b1e8c0abb1bbada22ca62bb5ab4a0c58c0afa4a82333

C:\Users\Admin\AppData\Local\Temp\HyscAUIY.bat

MD5 b3e8027ecda6dca13987aa3485bdc206
SHA1 4d5332bb549cadadc271859c7d71ce4b7ebb5ecf
SHA256 70fc8ae4a94aa0bb26422d69a340842c16b7c5006c646e6d6e28db59213747e7
SHA512 dc0af33cb3e60b4ea3ee9fe8275c2b15d169c8ca12d8e800210a92b1af82cc72c54812411f87206c2fb2cc62b2fb101e9229070ae6c88dfcbd9f39ef1fd7022a

C:\Users\Admin\AppData\Local\Temp\iAQMUwwI.bat

MD5 886d73f46d93adddfbd9e5f752a84eb3
SHA1 d883da92e5ca865998e2ca3d738a04c04a63dab2
SHA256 3d8b26b4f6c504371a6d8d9dea46fc030d3d07f89e48dd4dae3109a56e3c06a1
SHA512 ad0a9530e091e6b825dfa8b0d92bd9ac07c907c19f61681381f708b61914b29fc5e4fdfddd08ea59e6a46a0b99be76db0640d5f6c146a932534a65bbcf5ac980

C:\Users\Admin\AppData\Local\Temp\HywsAYcg.bat

MD5 c3089e3a3ea386c1a3d7152b62d2cd62
SHA1 3b882096fa41d9e401cb5665a50683eb1ef01f9a
SHA256 0879b0f429dcb670dec5fdde81bf98b099db55764b7ea4bd82203360244fabd0
SHA512 1744e4580d21974eb1c3a017f3c867348d4d402786ec7b3c3e9a06fece8565f5ceff68cd95b045b52c5786629b1e616f61e43f34089ff31cadea13e96b57e215

C:\Users\Admin\AppData\Local\Temp\KwgsgccQ.bat

MD5 f8ed9da1542d529be8d8de3b3c020ee4
SHA1 f196a94aa8802cffda1df4d7221afad2209fdd63
SHA256 9326cc10df86cf302b8b4b9fbfe4be3f9d84624eb43b88f3ed092e608ba93bb7
SHA512 2265297df1582240a6db15aa81fc60e1483739ead8665012e8a5e47f44322c6088e955317f15ed60791da9c9a3e80e3dc7325629594256157b1b50489c176dff

C:\Users\Admin\AppData\Local\Temp\QsIcwAIA.bat

MD5 47c43419c181c9495018a48e7ae4b828
SHA1 5e0f90d987adcb9b3b607cdc20c0a22f675cb41b
SHA256 2d0b6033c4c4772989eaf1f2ac0581de6800291a805c31bc8df58d27799f60d9
SHA512 3643df4f696c6186da5f1671bf6a7cddb0c4962f8f6d053eeb87ec4f325a7b451da87a73ef1dbe947d3b66fb06bb748488ad7ca47d17319ffede9d0e677714df

C:\Users\Admin\AppData\Local\Temp\zuAYAMgE.bat

MD5 95e48ac2711c02a3336f11fe4f26a7bd
SHA1 0fa8b5f994b08b815f583df3ebe73e8587ccaaa9
SHA256 da093d9174a2a4605961e47edbaec8ac6479667cd999eab9433106711ff69ccc
SHA512 ca52ff98321744b1fa08fd91fb4e44da3f1691e408e198b3479e8d22da6caf17ec9e13cc084687fb1047492d8be4de396c9b2f8dc592f8d2977a33734861f96b

C:\Users\Admin\AppData\Local\Temp\kAAocIQo.bat

MD5 37eadaab2317b4e7e178454741c28187
SHA1 fe5ccfabfeec5cb65f692e7218df4909f06bb7ff
SHA256 7cd1a8e916dd17e1a06e14a16d053c428ee1b4607e3635031c11cbcb6b1f8f85
SHA512 cc66b21d974b7a9857e18b0da72fe21a203001ab9370707c666bcbc63fd462bbdf97f3e27d16df9e84e880ed40a689260ae4dbd1632c5d060b7c1e4c26968dcc

C:\Users\Admin\AppData\Local\Temp\RckIEMYE.bat

MD5 997dd00d9531c432abdf3f481a4083ad
SHA1 1c31b8b21ed5aa4c18dc5230e48fc406788f7f71
SHA256 12b1018449ef943371d3205e5733f49510d4a4476a171f4361054c857b2f7eff
SHA512 449839006591860f6598295c6d93b906096dbd1b4e3b87beba3e00334ba1a89d27278ea53d4f1ef3c058f3b5b3fe47b5bb16688382aebca7c490bccc3546e327

C:\Users\Admin\AppData\Local\Temp\MyUsEkkk.bat

MD5 9e61d89db2333c6775cdf92b68eaf4b0
SHA1 f969e6e78ec374136a33caae01be82fa42e45cc2
SHA256 c1c5cf1c68c40567a3780c2040777988a2f7a8e888ccf57b60bb05b0a291d6e1
SHA512 f0625a31aa4fe0266257d104726ad1865e5c4c0b5362acd984ded66bf3586c70937b4e1386a3e1cfc78736d45632111f2bbe7b96b0cf08ebe7cc3ce6b344d84e

C:\Users\Admin\AppData\Local\Temp\IwUsUsUE.bat

MD5 cfdfdd2a4221634dea4d4591e39591f8
SHA1 55b4ffa5502848474ab76951975dd355b7b74e40
SHA256 2e4e673bba67bebed4a7a16f230bf2b9658e448dc2b1993c399d0cc413b1441e
SHA512 a44bd1c83c8040b43d668fe8b2a7254a5b7974eee3cc116532fe3f1f78794c78b749b008526165b6292a72977959b10ea1061543c06016b4676e922074b3b553

C:\Users\Admin\AppData\Local\Temp\vAcEEkcU.bat

MD5 6fb34f0fd3db1ab9399dccef287678f8
SHA1 7d7f5eaf95a847fa90ec1445e6bc799b7eb3daf6
SHA256 b682bc80509606fadc463a51f2ed57a86d115926a6896ff218d690db3a796ccc
SHA512 9c36e82c1b2c35cccb35c914acda472047c3c7374357a0118dca7d6c3852a579db7cb5d0404e70cbbcaac1a1cb9d9f0c03c0eaa0e3f28e0d96b1a42cbdb80bc2

C:\Users\Admin\AppData\Local\Temp\oYoMIYcY.bat

MD5 7ab2b1610b31de47b60b42ee442bdea1
SHA1 365f5165cfe925070b152dff244fd2a146eb0049
SHA256 241e1c6ff51a3978f83d399109321f9c453d02f378b48ce9dcd0e6bd0a1fba96
SHA512 fbb10bf7e1765c5617e4a3b65cea5e2acbd28cb267d941286239838a95c5824927f054aae7a0f8cf154f8085ef88f56c8db686f35a5264716d1e81710eab29d6

C:\Users\Admin\AppData\Local\Temp\eogIkkko.bat

MD5 cee08d68a760d7bc274e69459569b6c1
SHA1 f815622fcdd1557779d5b32c9db38ba89bf17941
SHA256 ecf58b45653bdb1ef095ddb32400d3187e73b6dd5882c729910ad2ee1fe805dd
SHA512 1bb69beb36e8414ee68822326c6ce321118592e47ab437a05d1bf77547227dc9f556c4af0f75a3691495bbfeac883517a9e22b3dd43142a654fc9e5abee9b1bd

C:\Users\Admin\AppData\Local\Temp\TugMcAkc.bat

MD5 016609ac3b8cb05e249589e1730b4c4c
SHA1 a4b75e2d322ca6a30621675a4cb44853799c4239
SHA256 20cca6764df51ed854aaf3193115236b550d43fdb8ce2b5428874a82c8269745
SHA512 15c90a7b27a2f280b4d7df2c873c0125f139a4dc8cc265b47a54eddfebd8b83a47d81ac0869e8423c1124ba8f30d475df86d2ab6c8fa3833cc09c912d62a2c28

C:\Users\Admin\AppData\Local\Temp\dcokQkYA.bat

MD5 894a5a3407b88a39fb033d96de371cde
SHA1 9270a5a8df154efd060b7dbba2a46260c43b0a7c
SHA256 cb76fe8c96b38a981fca100aed46d291ac75228ff1208155d3ed2b3314123f46
SHA512 95bf55188bb483214888a49d03f79e29920f0124f3269f20d409bfe6396dfea71bfa88b20b5755dc6a3078bd804e0e2e371df37f6824b720e3e7822d6e62ed65

C:\Users\Admin\AppData\Local\Temp\QCIEsIAU.bat

MD5 a46cd446dc367a3fd42bd179c2d58948
SHA1 bb87d82e077f443e6e13a52d62b52a44d732ed16
SHA256 0f79aac8756b8ecbb1328a8f4fadf800a0177b70fcc469780f4ab83c700861e6
SHA512 69a89c59191dc993555dbe0697e212048da9dcc4a7b77408cf8117f1e06cedb7f24426bfac5e955d0c45a5eecffd9ba90c411d6c0455d0aebec8a02460e90666

C:\Users\Admin\AppData\Local\Temp\UiMwUcEk.bat

MD5 b1e20c85131f0893eba42132f893c889
SHA1 6d608a0b2922038e7cf4c665577703ca3f8c1d0c
SHA256 43f9910510bd4164436c14e10861b6cf732be93c3913783aa239df63d49e9162
SHA512 faf61b855413c56afd83c1810f311da260c40636391a1c90aff256c327b4da94c24b6c5591dd341057eb2912d96c6e5ee8aabb7cfb3476c7f2a20053fd26e6b2

C:\Users\Admin\AppData\Local\Temp\fGUUMgUE.bat

MD5 9c535bf5f3c79fc5f7f41043fc293d9c
SHA1 7c1991770193976909136652de8d2c38bad59360
SHA256 51fa08b4b78dcef50ecbaf2177e692717b564d50a5d2b79e269eb3c013a5ba25
SHA512 12ea8ec29a0cac1507ad288e382b6b53b813d74255847d8bc2235de6e4b78b2c0c703fd167f3d9d9e0667e094ceadcbf2ffc6dd27345dc62b3ecd81dcab11ca1

C:\Users\Admin\AppData\Local\Temp\GYoEQAwY.bat

MD5 63e48abf300d90fdb4acb45dcaf31dd6
SHA1 bca005410c5259deafc8dc81dbcb553123edfec3
SHA256 169063e190207d4b6e03db2a8961363c3ac8659e048d411bc589cd2aa1ae5fc9
SHA512 76aae27bc6db09fbe2b7c86baae42f2f2f8444db3dc3b47860becfcb6381c5e0d21bb99b69944c4ea39776d875180fae6223a29da0e1dde7c2126d27600d07fd

C:\Users\Admin\AppData\Local\Temp\lQkUcwok.bat

MD5 b60715ea3667e611a9f299ccc170c3a3
SHA1 c4354089f5833a67cc5cc841461adf2c0c402442
SHA256 cf531dd17dd51e1f12689779164a174e194ce46e7055569e49659eaa7462a3d4
SHA512 9e721bf045278f15e1c661d9afcef5b2b3adca0cb10edca08f61af53b150ecc8fa741cf36c372594ab762af5af38b702a3d0399f0cefc7ebe975320f5dd5c9cd

C:\Users\Admin\AppData\Local\Temp\VqcEswok.bat

MD5 5e6a49ed4d0b8e8d756b7ce51c85b151
SHA1 cea20171823e5c486fd4fdcc246f7757f8ea0ce0
SHA256 e38683ac20249ad45b831720cc7e6b2cd4f3588f7f807c659df355e64fa4ca1a
SHA512 8bb76da3ac1fd04045f3d0062802a714a550d353c481173d051531db99398fdbefa699b5694aa7c5eca9681c47504bf8e75d993b7a4bde39b1d78dfe64938543

C:\Users\Admin\AppData\Local\Temp\qOAgAwEw.bat

MD5 ba20474334bc8df822e54038126ec7d1
SHA1 393e719f8cfc7c07a73ddb5a849ed461564859ae
SHA256 eee90b2ff5cbe2040f1ab5fd32d6b7866f366ee1d4faf6074c9381aaca994c02
SHA512 c24490486f94ac6e51bdd7e65a753e9ad090bfcca8c28b21702736529c527f9349912967d3af0f32b92cb030a61835fa838640d38f9c506e296b78bd1c42ee39

C:\Users\Admin\AppData\Local\Temp\UewoQscc.bat

MD5 d2f9ee0753aff03a977928d620fdf96b
SHA1 a6972497a80c9e0b7efc639dd8819321540d5b6e
SHA256 7819a22687c84a7afb264d90ac0741d93ae31f50a85c6be754e78b64c2d5705e
SHA512 9a85677b967c200fe771b2b256b9601d50ca56d3c1e588221772b51ba96d93c0dd16a53117b13fe70d73f81745b55c60a46516e54c4d9a8b903de3d90fca9baf

C:\Users\Admin\AppData\Local\Temp\YQosMsIc.bat

MD5 7b1269180bfcf09c06232d1bb3a42717
SHA1 224fb454d41214fa7102e83bdc0e30c493c4a86c
SHA256 ab0c29de3df9aaeedf04d7c5fc4f7a4803cf40ef428b3a7b303d376a8102b304
SHA512 06f487917df3511f62647879818786547f2260fb59c972c5bf56053c15a37aba108345d6ddde11bbad69bcb28756a48561241702ea668d61e8e40eb267d8e838

C:\Users\Admin\AppData\Local\Temp\VUkYoQAg.bat

MD5 299f83cd3263a3b169974c80fd877ebe
SHA1 d52e5078ab9ba6204248c14c7420f47ccbfa04c0
SHA256 0d477aa3552a85983439bad3cc799361ac167e0d8667f6f3600cfd871f6df67d
SHA512 2021394131439572037dd4c6e477f6ea4bd6a46de26e17136ab40d51f71b4cd7fd3685086b7d303a191904b5b7cff9b66815cbb57756fccffc7a64aca1618072

C:\Users\Admin\AppData\Local\Temp\OQUcIUIQ.bat

MD5 af3d425309c93287d7791b426d34ae67
SHA1 5fff5c8052d38b5632321e108e4464406f0a3071
SHA256 8327bab7859d1d28f2820d9d349333dce06e0913a0527a04889e821ccbec2f9a
SHA512 046da4e269f88aab67ff81b4e22b32bc994d812908e1c546c4209ca67ac4b282cc1930edb3b625bf9067b921643a7e8bfa3b7e93d4bff1bc117b14bc2b62715f

C:\Users\Admin\AppData\Local\Temp\zksQ.exe

MD5 dbb96ef697ac8c7d575400d247ae15fd
SHA1 1ac1448266536de48d34882c4882731238162088
SHA256 07df8094f53046be2aa42650c95d0877a193e8089ded8b7fb3816b0ffb2f19fc
SHA512 fd7413fc0b67df478261715468188e11b8f9c5d9c7b38790cdf7ae8cba11b7d4063f4a523a6adf002ec11dbdbbe3c5331c9ef62c9f3642a54f636842af5113cc

C:\Users\Admin\AppData\Local\Temp\AEMk.exe

MD5 5dd2dd98d766f95a5409688f711bd543
SHA1 f33abcca670ce14d965b2d2c86755fb2225fdc88
SHA256 9f7ba1f23d5afe51dbf62002d2035331c7586ca7d0108d7e363ccb579ba61f9b
SHA512 51ec13fd155dc8a2344d8742ea75c4b57da5d39225ff950abb0e4f9750462967e305271a2c5d6174003fd80395920ece20b949daf320828dd517e11d153d0038

C:\Users\Admin\AppData\Local\Temp\FUgU.exe

MD5 4b4103dcd5fcad5dd4f61da1a281faa5
SHA1 07c6b90d8e93ca65c1cf652c59bc8e2d14bc8279
SHA256 f05c9ca15f65acbf1173e19c6a3877f798c0b80985948df402397fad314e0e17
SHA512 4ebfe7f8a212cba14763acf064b036600f5362639c919c5cc10e40ac94bc2c68c3c70f456be900e0e7498104cab97b372fbd13a7cbbb209b0d74d3ffe0c18659

C:\Users\Admin\AppData\Local\Temp\woEU.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\UoQy.exe

MD5 155ec0ac66d4701614d0a7c7ceea09b8
SHA1 add26c77c7afd2bc013a007e474e7de27bbca35b
SHA256 0925b9a57daa16fe7481e3cdbe4269dace2a1cfc18f6f95b8d43c84710619ab1
SHA512 79218a8ec367c4a47581847c56ef73674f8c266851cd92be09e9b4b2177a929c96619ff6bfa418f31e5c2afaa07722dde729bac2c4a4f3380b2640ade51765c8

C:\Users\Admin\AppData\Local\Temp\jyIIscQM.bat

MD5 75dd8b06f6e703eea3d955b74d000e70
SHA1 99a00f50ac1e898765fdf387007b6436a23754ab
SHA256 9417c93c998871abf9cdd96075d6d977d68f1fce24e6f8dac40197d182fc3977
SHA512 fad20a31fb15fb4d988b706d6ba05061bf20690c2f94d7bd0c4367f7af7eab97321098e5c9a1ed9ff4dd796123e9e43971ec886f4d4afce47ee552e5f1d91c2f

C:\Users\Admin\AppData\Local\Temp\KsAw.exe

MD5 3950ae20bcfb86ed174cae37138c37d0
SHA1 9df621a21a531588a132d1ad0d503b92a6707ede
SHA256 beb12a065f263ab9d1d487d2cf3e48a7b472f07a01bf215835e0e2bba1b86110
SHA512 fc69527cb8923104506c5849966ab4599e59365f3975fffd71efdaf18057ad2c2d16a92c1914f05fcb0481997697fe4eeb7773b8a9e80928e04b9352d0ecb016

C:\Users\Admin\AppData\Local\Temp\CMUs.exe

MD5 f99ffa7d84352b9c1c732b72b0f4b7c9
SHA1 fedfe7d7f06e71bbf4baa801511a591a36803a2a
SHA256 e85f2c299860955b2825c479fffd81f6482c0c4abb056709c63ac2df41ce798c
SHA512 317ff59074cfde7f2cc6557f2e912fbc6f4667f806a885ae43838eb5f128ea66ed4467de62a8b67324cfc1d2fefc8df11e5a9be91c0a245cd2e6c1f7a9514abb

C:\Users\Admin\AppData\Local\Temp\hskwoAUE.bat

MD5 fb48284c75b87e214e35c1be58bb8c69
SHA1 8e39888d9c521c8fe838202b57b43bb8714f7789
SHA256 7a5f805dcd424ef75af6150f49018fe38d58c47095f9fdf933719cbdb5076b01
SHA512 8c0c71d4cf2d4b7e328c40f7309a78ad70aa4b4bc9701c339f5d83131e782a54b857fb1ae7dec20426aa9f7fd41808422eb219ad7754001ba7381b4f23a071e4

C:\Users\Admin\AppData\Local\Temp\IwIK.exe

MD5 4bf31e6a86c9ea791fd5a0b655072397
SHA1 7da4a92bbc51474f75602e155c7266fc3fadeb14
SHA256 54837adde32cdb7b21534335bc02fcc0ea80a596b497e23e55857eaabfac1039
SHA512 9e97a07ab1cf8127717c41c195526a15e4f59ae0037a34b7816cf16abf2a9939731cfa89419e0337db0b8e5a7940aaf89ce5124c4567a707b3f129c6e89dce42

C:\Users\Admin\AppData\Local\Temp\YGYYUgsY.bat

MD5 80a6d28c22f70e1e853c6b60bbc82907
SHA1 ee731af8dc5955637e20dabc294b815eb8b2c376
SHA256 9b2ae4b1067640a0ea7bd255d8104cabeb5434042cb5c743923d00405a363c9d
SHA512 0f0b86f3ec94a8e92457bb6c1d93f5c9233565d15f67c33f7acea23b04454e67cef90966d395ceccd498ffcce09cb60aeb094982ddffbf795c6232f533ce5d1d

C:\Users\Admin\AppData\Local\Temp\kUoO.exe

MD5 420e7d39788f858991c6c9abc4858567
SHA1 320736b0dbce4f91daf1f6271f0b81088fc9bca1
SHA256 f8ab11c8c4a24516966a0b1b8b8934e4f7968d60030b1959b05a1c1934badf6f
SHA512 12c5c2455367bf61badb9fe5f8b86a2c1d47d4c004f99a0a639431339882cb2809de4f126ff67322df5383408cbdf788a7571000e7fd827a40daa792560f9354

C:\Users\Admin\AppData\Local\Temp\joUi.exe

MD5 369c08d75175653ea0269bc0ae6153fb
SHA1 005f976990b9e0230eee7228594330a6ed776e9b
SHA256 34fa73834830573769e9cbe1b9de0219a0526c22805ef12d6ad9811401213368
SHA512 9ef5ae44214ec7317deb13c73f9ffd5b428b1df6883798f0bed811efac94c616a12430276e4780b6aa524ba1d4a788c28d019b5e3841e106e9984b5fffcd7393

C:\Users\Admin\AppData\Local\Temp\ygoI.exe

MD5 8ac3ad2d51f71f97f7d129ad444d29ee
SHA1 b7c23d3ec486693186d6b0a2d8544abd36b86589
SHA256 7537f5ab3fa9354daa5042d7324f32af364e316bdfa361e1e27e8b4b2fd6a224
SHA512 ca69cca0f9661833b32b9e4094647a712fae5a4b3c08366de234a51f98610478545e599ce1345b94791f893ce1006a45c5c2079c59b594eac8822fe95146b479

C:\Users\Admin\AppData\Local\Temp\BQwq.exe

MD5 b7736ff3db8c56f21b5f8f625476e72f
SHA1 9aaa7c705cf73f6a60fd9fab25647bbc26a1ae01
SHA256 2c3e10f1499ea8cfe9c31b35dad6c5d7488023d7fa24030ec7a989a405c2cd66
SHA512 371e147436acb0e78deacf014c34ed6bbeb787fb4a54e0f6639e69e03b7a6ff4e6ec52279589130b8ad9d339e1febd3391e626629db89b6ce7ca0ea17eb528db

C:\Users\Admin\AppData\Local\Temp\ZIQsYEYU.bat

MD5 41d22427917723d197363cce78d08d9a
SHA1 38e4cfa2d7bbfe6effdc2df0dbe2c6e3e2a63e7d
SHA256 6e4300166b4a2320c87d09fbc4a8c303dcc3c894cac7edb02219723abd00eae5
SHA512 7dcb207e97b59694673698ed5b6853454cbb583af03224b0c0f059d86e2c5a818328a3f16db7fe726631c8cee097b16f57fe4411d1d70c6d38406ec6e8ac4396

C:\Users\Admin\AppData\Local\Temp\owYA.exe

MD5 bfe68cc67f5033185a6f7ad9e5dca7c3
SHA1 52c37f69a9cd645d95d635128583c1e1479d3ed5
SHA256 f4f2b86f6ee1133c721d2345e0bfb49429728671fac75ceaef72a3d2b5aa22fd
SHA512 8ee281087401175b5d883ac361867aef42f33f0581b8794434f3cbdf910c113cbbbe42d5d9107a34c61380bcebec99ca40e2798f6414177493c6f5a09b1626a5

C:\Users\Admin\AppData\Local\Temp\ZYso.exe

MD5 8a443d0926ddc9ccfd0ddb4cb0cc5da9
SHA1 3606b4571d2c642323103a1e207e87e1a8c7af67
SHA256 ac7903bd2a2b1b2fccd25035dcec0336c1db2eb6b1c9fb9327f4a3d28870d913
SHA512 9799458526e79e55c1f03a02949c52bb1005ff482ae3f1b792152310e6b22a3f34d5502ae9c0e1cff9dde28e52a95e88845124c9a74922fedbf280f46bbd90da

C:\Users\Admin\AppData\Local\Temp\vYwa.exe

MD5 29e888312a6fa54581451f829e889f44
SHA1 8d78f9d7a1bc7471ac18fca3c1544cfa4c7bdb88
SHA256 93ad30cdbe9c14c0e81cf888f6e670eedd4afcd241661ea101022242868c8d53
SHA512 6c96f2def7ba289fd62a777a8c15c3182a56df997678222894a6f5ffe436114e70ba767632c74da5109c9c05b6be9b725741939c053c7b02aff4bc88da9ec086

C:\Users\Admin\AppData\Local\Temp\mKQcsgwo.bat

MD5 20fe2be58a2e46d530f1ee3fe7de601f
SHA1 5e4dd0cb98ce20c96e561f2f5b70831a82ffb25e
SHA256 b9ab72bed4b088bd4ea37e7afaaa6a89e6a1a871cffb775698f661af7540d512
SHA512 69e4956f3fafb8249d3eb2c74c726cfc89ee9970daa230ef9f94549312b42434049c419a3830aa8099e168ce044b4ab3a344c4c2b3b14a4d70d2ba3b3cec69e1

C:\Users\Admin\AppData\Local\Temp\jsAa.exe

MD5 19250bb02c401f02c1b9a1112614d4dc
SHA1 0298f067669adc133e2b6610bee6c20c10f09dba
SHA256 b2131553c66f4f44c803eeb6f5db96ae5b426ab9773150e3090a3a848161eec0
SHA512 b3b2e624b4e3e0c0473a8757fe051f663c2b82e623693b013170db7bdacd32566481e3c021339b38582d1b3f5b3ecc62556471e30acb7c14432e19ac55675e3a

C:\Users\Admin\AppData\Local\Temp\Mcoo.exe

MD5 e57514d1768e1cd7a863b1ba45cd17b7
SHA1 ab95b3cdfa24abb2632bb41f4c92d0bad6f0d8fe
SHA256 4af2bb95157a1e76469a213ffc9c0932028b217c2bf806017c90593ed4f07841
SHA512 d820fbee9ba6fc45fcf0a6e9d724472fc2c9a22fddc75b87a2167ebf53d2b1fabcdfaff0c77a5cfc348203552d9af6424206d1a23874d9a4a3428150a03908ff

C:\Users\Admin\AppData\Local\Temp\SgAi.exe

MD5 b43aa938920afb89c142696b5c9b14ad
SHA1 7b6d21f8ae256395dfd46ab05d71a6065c482dab
SHA256 14a8787572fdd2c5b8ac703103c269f317eb85863300b79713cdeffe811b0a16
SHA512 5e5a566f34d923c21d358970ca94278bce408c49311a375c2d9833fad2eddc0e35b26bd6ebce5be257f110339d74500e1b46a80b8490d00533427c7c2a50f841

C:\Users\Admin\AppData\Local\Temp\pAcs.exe

MD5 806f5d737fadd3a6448151a70b908ace
SHA1 468f62ceebacb2790dac69e68c59568b81a2a4ed
SHA256 14b0e201d127b8c46367e257bdd4092f6f5af2534a553ff1c53837b585904f9c
SHA512 8874c608026a991c4a480e63d550def10b3c84c638d6940d3857f73fe63f22e34682a4b3ec0c1463cf1932d72dea2995233ba3ecf83f97f1cfc08eeaee6d2058

C:\Users\Admin\AppData\Local\Temp\tsQw.exe

MD5 01f17be8124e3b18fb560e7a05a8eede
SHA1 4a4d23240b0e7190ea0ddd9a9f399fb8e521e857
SHA256 e18d4ac498b49f38cf645f40aa28b5359fdfbf8fd6696d94b99d4592add44cb9
SHA512 708bfa82696f68c2e5f5ee0cb3d4601b1f451e4413553accb30fa18e2c4b6fd492c658bc116b4857d322ff13192513e6a70328bbde898daaf31d484e2aae0a0c

C:\Users\Admin\AppData\Local\Temp\VAUk.exe

MD5 af273bdec844fc906bd78fbaf3fb8ba8
SHA1 9b536ebd41e106d3a957df2545850d3bdbaf39ec
SHA256 6d883229f7e7b85db4a2be22f2c5e99be75d55a8587700bfa60aa44e696498b2
SHA512 7f0bf444f543a831afd89269e537769e1abd8d51b19c67acd9006099feb13e046949fd738bed81e0bb2563bac05630c412fa06b903bf15f64d326ce2008f4672

C:\Users\Admin\AppData\Local\Temp\JoQm.exe

MD5 e73c47b75547fdc06c4d5afeac6a2689
SHA1 721eb127e5b4b4d52f9677cae87ffa4756d58131
SHA256 a265cc0a9f020737c18e241b363ef11c6c97082b4f944dd3a7d61974be7c7204
SHA512 5737187a08c3bf8cc33387451113b1f756093d55010f41d76b1f5e50a96bcc163a81e3f3d4f9016e93faf7247610e66d48cfaee086e335813f03b3bdef85d3cf

C:\Users\Admin\AppData\Local\Temp\PcoW.exe

MD5 9e97a41ecd129c78d2fce21ad1d1e510
SHA1 d2c8a5b8c51a287957837ae3d0e4c657351eb3cb
SHA256 e14e3c61b54aa0052abd1338db0bb76398e10bae5d21d6c32e7625b66879e8a2
SHA512 d35d4cf88d343df7a57d646a72a8d09ab5c4f7e28f764c6c4ec78d89a2edd6a07748170f26bfaa43e2b8871291c660430fc706bc9e2a187aebda0a9d22523be3

C:\Users\Admin\AppData\Local\Temp\pWogscgY.bat

MD5 63c30d08be26c6d9556250f90fbf0060
SHA1 3c2f7c5860122772216c2d0797417831160d5ec3
SHA256 3c443a39eab449258eb19d212035885d242f26286e9f700ea7ff1732a86f13be
SHA512 e12111982c18f4acd816274b53d613c77855e6dd7a2195e9075d1ec8afad8e13767ed7cfbb145dd3482183eed379af5b8a392c3ec21ba40fdeb2b1f948e54291

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 bc17974d2ede7645803e785d14fde876
SHA1 f8a28b95291ce5c78cc86ab3439ac33bbb51954d
SHA256 68528340707c40f893eb4e40e0af71781ca85195b7a65e309a02a293f148545c
SHA512 e868ee6031d6faf9c6d6c2d6de63893a382e9931e0161940360a1a09678bd906cf3d0b78df14efd34bec90fd4bdfc5198fb2db4f7983c15903685e68148865e5

C:\Users\Admin\AppData\Local\Temp\dUQC.exe

MD5 3bafb2eeefb84af88e61cf6036db1902
SHA1 18a8e7d584af78889e4b966d9343654d0bed5efe
SHA256 1eb7a6e9dfc0903f2e8c9b8284c27e065d1f948147ae5dbf75640a578fe1deb8
SHA512 674e11fc8606a87c419f9fe3b9bc37355283ba4b41b5b75632b1c66e8f3425186532bbe1fa0eb4eb74027964a4c2f1dafcfe76a21cc6f18e72f05615b04eb170

C:\Users\Admin\AppData\Local\Temp\XIYI.exe

MD5 8f9280a6629113100ce8c40997afff06
SHA1 aec220abe4bfb9db2891983713f24c43875eca5d
SHA256 833ca52ed575b0a101eeb13ec9c0499fb32e6b0848e3dfe3b06094cc879a5299
SHA512 61f7ef607792d217831de4cfb42700b1829a399f2215dcce4d883bdecac849bb2c3ed1bf9b2568317d11e605e95b3e4dcc320d9cceff0530a09b6bf3d82aa54a

C:\Users\Admin\AppData\Local\Temp\gQcw.exe

MD5 9d25f179159fd1185d6daac9b69bc078
SHA1 a8a5343f77608b5360444f0b062d2d84b62b3e6e
SHA256 e5d391f022f2d9bd6b956470de5210875ef6b22b35926a9508032d5801c16e19
SHA512 e0e035680edb11f3562078be77d00a4866c565c3ff20af924becb9688d0cd4705f2399852099d82e331ba8432c92315cae38da924189fc12e1c49fd50a06819c

C:\Users\Admin\AppData\Local\Temp\zIAW.exe

MD5 93a4a89d13e870ef8ccfb0104b53a81c
SHA1 912c54b7dc920210630f8d221f20c4fd4edf8666
SHA256 0811a66d90256f221cfd06bf70fcc0b04c464e377f634c3fc501f91d95e65172
SHA512 f63d305d5c2372ae3975e9ddc8eed3fbd4b1338a9727eec9233523faf6280b3e4a8fe7a5907f19ae007cf44fba95d22ce483fbb3fcd3b6093bc19682c7c4776f

C:\Users\Admin\AppData\Local\Temp\TwYsggIM.bat

MD5 783647bf52d89944869c3f8370542c6e
SHA1 d41f123232b064140e901674ce3987214e629061
SHA256 efa30a3252cb5edb49d439319f2ce62ea653a9b3e59fca5aef576abf40119810
SHA512 033b1dd17150f584e2bb669e9519809351955d4bd2dd0cebe92553036e328526286b4ae054be2e963142bcd0ada889d2433b3c536114a78ff74bd8e1618fa8c1

C:\Users\Admin\AppData\Local\Temp\TAkS.exe

MD5 12bc7c5043ba80b215e139d5e6d2233c
SHA1 6a7b6e2f248c407b3ebbcf242ce960a828f423d2
SHA256 f7e72bf6e65a45329d764ba68d4c4797db89432943bf3bc29e1f3791586e1f01
SHA512 195114b09d40bd3158dd26b925733d862e10ea2968d45a6d8d5d1a3c2fe7bc741cbb7ba10a4af1cd345fdd78fcd04e7af185b839a90fb51074b809135175b335

C:\Users\Admin\AppData\Local\Temp\TowA.exe

MD5 8cd7acfedb261241556c1eda467d24ca
SHA1 eff97aadfa96d456293084958808c26ba68ab880
SHA256 1194bbff43acefb24a8caf541ec34b1dbef705c6255843b59cd0da65d4148804
SHA512 9d5a62d098c16675a7add7598ca6c123b366b946ffa6b51cdf8a4e3925255ef63eae4b4ed49d51a58173e146ad291ca837bbb403b2b4abb8f1ebb21a8150dd9f

C:\Users\Admin\AppData\Local\Temp\EkkS.exe

MD5 23541f6ac44e93d002ceb9aa4fa2d6e1
SHA1 18c9f8441d07fae7e362736a9c4ca576bef9aacc
SHA256 968aea2fb760d6ea77cbbdb7cfe888b9aa801339b87525fb1f609ccc395877d1
SHA512 4e429a8e89c6de5c4ef2038d73d597cda223953e056b75d3897247d446055d78d582414f183b79d875631f6c967610369b482d13d8e0c0afeaf97a8009a291f3

C:\Users\Admin\AppData\Local\Temp\dkQO.exe

MD5 118c85a6b9f4043f07823058e67497d0
SHA1 2250dc799002ca1adbc532c79594c0cb558be607
SHA256 df8d4235939d005c680342c72e5f0a3f3fd72b5c233cd844fd80d7fd59aa49d6
SHA512 dbbfc5f201293efafae2855021d86308f3f1788a29b405add5860a86ad063959131854a788a4ae2046444633faa0d2c3692a57d1326af62a4c48b1df830d404e

C:\Users\Admin\AppData\Local\Temp\ScUE.exe

MD5 f7955237f56d4caf56a1580b1149da54
SHA1 96a78634e1f770e4173a588ebd5d90621027ee25
SHA256 958dd25da84a2c6cb994be72ab6dd02e22b66480563b6548ff3d59926e760e0b
SHA512 40c160ba4a49299af59db050795b3278c0d965cc96df38461d7ddb3fad7fe2592c21ac8bc21011c108d098dd65ea7acfaca767b5b30a13c769be4d336184786e

C:\Users\Admin\AppData\Local\Temp\JEMW.exe

MD5 f78afed32d75a280c5d68eb6c6769803
SHA1 2bdee80c2633d5f32622fd83c5b316d3cc6a3d2f
SHA256 8601b24d0c98d3ad222dc06d5e1b97bf8752342d19725f8fe31dd08ce8d208f8
SHA512 37343a38bfa6bc11b2249411c7f29baec1d1f2fa7d5f245d8fa19fdec854e18349cd994ef70d03621783f9cc19952ced121e836f2456089ec75314736786c352

C:\Users\Admin\AppData\Local\Temp\SkwW.exe

MD5 0fbdd152333bf036602f0826dc7791dd
SHA1 cfb504523c052b38447b4e88be63b79abbb19c0e
SHA256 9a0587edf2316bc26f810c0916b80f2df8a9194deaf8a72ef9573c0efee0cbaa
SHA512 bf4ef378bf1df642c735f3e3413577af9bd2e70e3706053b1dad6146d994b811750fd0b458b304e3c65dc7ab51a009f9c557eb9841a90cfa5df1eae6e1f71fcb

C:\Users\Admin\AppData\Local\Temp\scUsYsUo.bat

MD5 e775c422620a751c3b88fc6c943b5431
SHA1 aa9f3aeb7ce12a08b9bb0dea9822ddc0e53d05af
SHA256 a9e816313d669b6769de6981141762fb5d50453f8aa27f63504a92048b4be993
SHA512 63c9568f48c9c9ca5e44ba40b1e69fae2afc1c4199b402652531cfd490af1baabaae66a4837ee312dc88d286ce8bb0b6a71e08c107ec8e1c1f824eb0e0388a69

C:\Users\Admin\AppData\Local\Temp\ykIg.exe

MD5 79c0e79414ecc89a129cdf59d96db685
SHA1 ca8bd4bb45e299562ea42a629fe401387f28e642
SHA256 b509a0240ad5f719780b56f827cfb85b09d49775e1affcfa2031d73a62f0eedc
SHA512 bcf37c5316a1227627957654a46d6fc577842691d094618bc280645d6ac1b190a41f70ecd7b4aece56fd17aaffb6371bdf8f24ca48b273a660bbec8be528860b

C:\Users\Admin\AppData\Local\Temp\scYi.exe

MD5 b0d7fb6b2cf4e59f2b9da54c379e9f81
SHA1 63beda2e59c2b127dc7c31cb40ae4b6961c1a96d
SHA256 0fa4755dd59b18b10fd4d5eaf76ac0e287b7e334db03d624ab39665939553627
SHA512 69fd1e3011da3098a86ff59840439d666ea4da07f06848032baf5d39aca5ebbe9bc81b682e8fea7f00b458540d34812808be95ba9e17f8be71a9dd70c23b72c2

C:\Users\Admin\AppData\Local\Temp\ycgG.exe

MD5 a95c00aab5c77e9cf65e2906e8c52217
SHA1 c9467fcf86ffcc1c4f6b66da7a85d0040689829c
SHA256 7998db5cb141b8540505b754006155c5a440f4dadb4ae5d6c17f683000fee1d4
SHA512 c55c9341df893e86683eae944b4ba9d3b43d80ff29b42b2288f40bd8b9f2118a886507413eca04c18f639ca9a8666098d22d1b52400c48e15b5f9be1b2b3e841

C:\Users\Admin\AppData\Local\Temp\mcAW.exe

MD5 cda0f41ea478e45ce6cfc27351b18faf
SHA1 a42e76404bc62d1f94a2dc7b22f78a70a5185ee0
SHA256 5346bb4748b49e1d9e2efbe98faa260bab232fc0b4f4ae54e2ad048c4c13c5b3
SHA512 7bc28a0a05ae949c1aee6df2b91aab2fe209039b87a3efae29f4ca35dd4c512b13f26ee17643ee4947e000d797bc0c6b8acc88334721b8a7044af8e3d79a573c

C:\Users\Admin\AppData\Local\Temp\nMUC.exe

MD5 ad3603cae81452be28a1c16efc4e283b
SHA1 0101698c8f78e9c3f3d6c6b4bc38af6e5d48ea3e
SHA256 fb07724be3db6e53a688e0f490472b099fa434455016b97ed95ea0179816ca1a
SHA512 40dce627a31fe8c858650bd3fc76bf6f9150c580fe23f8e7b879bb3f432941d269a287eddaef2e0b1824f3713254725d6243261c599d270aad79845ea303ca5a

C:\Users\Admin\AppData\Local\Temp\hYAo.exe

MD5 8a9191c655372c4136d024c0d1851cec
SHA1 9b560495825806065181a7b01079866e5e5d1999
SHA256 2458f8607c2b07087a4ff8a8a6ac2989a1ab41745fa67c21cab6c096433b568c
SHA512 9bfac7b54107dab0e3708e0a4888957f197f967f21d40bd613c54448e4b7a21ea5de203dc1b250be5b6dede72930dd03a4849c3ff740883f3262417b9ca88290

C:\Users\Admin\AppData\Local\Temp\CQQq.exe

MD5 c14fd575c71f7ba03c1c66b30311d5df
SHA1 b949821d15d1beef3494aab6aaa66d04ac4bb1b6
SHA256 1a72cb354f32a20a805fe5b210512157644a9ba300d7c455c34482bba1cbbcea
SHA512 9c701408acfdf073ab6905abd4848c81b28d3340e2847a92417f00147365fe45af0ae7e259e5391501c6588c1d2a46df8ac0a6165c2469c1b807e9c66aeade92

C:\Users\Admin\AppData\Local\Temp\nwAI.exe

MD5 9d09e2c44d6225a70d04149e4963b342
SHA1 e896a3a873626ad05b4d79984b01abbdfc10138f
SHA256 817081f8a0ebc282ce378ef508487dd7b4b042359eb3d96565009b46dfdb3bc7
SHA512 e5e0b9767d1dc69323613ca38ba2f15d23455334980d55dfd8ca7a8024e708af4ae1d9bff7ea4445e6ea2b934e5180385c2d4340011fa94566392339b14fe6f6

C:\Users\Admin\AppData\Local\Temp\reEIcYgA.bat

MD5 847945df0a6e5b9e4e33cf2660a2922f
SHA1 f88bbe2779bbb0d85c48a595f64ccb52fe6ccc07
SHA256 eeb74eef7a541f8f67dff5bc4356d39cb9cc1e047569b3a5897082b3308461a1
SHA512 e3670ec3b3303c2d0722916552a09e141d027f2062d5199645e2fa389badd594e6a0f70a63501164c3ddb8b86be68705877c46da90797b8f9a3ad4530ceae28e

C:\Users\Admin\AppData\Local\Temp\ZssK.exe

MD5 a309a1343a65d58bba3322b1348fe88c
SHA1 2e4d5c498eb964825d8669371c4ad1ac2beddf77
SHA256 60ca36d5ec35255e37e03ca01bfb85d06e318e97c5af9ff3b87c5021245f5853
SHA512 85a72a74ca0f6dacf84cae232bde0e900aec66cc25eeb330e9f9158e6190f78ff8c6c94a3bb55732de26f902d19583d75f61e38ed10224d8bc4b2eb62dcdf977

C:\Users\Admin\AppData\Local\Temp\vMcIoUYI.bat

MD5 d5dc095bfd5fa8d437f461d5d5cb792b
SHA1 257626bbaf2523095d477bc4f50d0496e57a707d
SHA256 fab63cc07c2ad118ffb06f35964a736811729506c10c23076bc6dc375e163128
SHA512 6acbc7ed12ca3b68c22f61eb1cd0b5f8e95ad8648d19de88dc4c5526ed5e01d9df568f19b124f080f9f2110f87153081a222b45e86a128cc65f7155b838286be

C:\Users\Admin\AppData\Local\Temp\AEQu.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\QEoa.exe

MD5 74916122b453d443108a5b7db0731fd0
SHA1 76e41d4fd69c8df6125518ad3e26b0aab3ea7f12
SHA256 2dc87f2388df7ba4691cf06119b8eebef0001d7c34aabb46d23963b40425c636
SHA512 fdb9a3ef4318e6e5fa7a0b27453c027e9d0693c57df761bcce9466ae7f61243b04897d6db95fe34f12a30ac7d990e72a0585dccb2ec2ca0c169bcabda7b0a804

C:\Users\Admin\AppData\Local\Temp\fwEC.exe

MD5 125d829e76ba497dc0a5f43f3462c4c2
SHA1 673af13692dac05e3021ad3efbc3e93f4d9c9fc3
SHA256 3c0c11c92241d30698f696c5fd2d51b6a9049351a6c81356535e859acc4610ed
SHA512 56bc9bd4f2e00a177bf88d47cb04d80f88bcd13af1ce134adf6920a0b6dad488512d3904c2cfb04936b10aa7edc02ddcbded02316a7ee820cf22905262ef1c2e

C:\Users\Admin\AppData\Local\Temp\rEAgUgkU.bat

MD5 2aae3818710180043b5d467f6b22c4a5
SHA1 53cadb7a535fa82742945de1424ce4a7368e1723
SHA256 7439a44ddf5b6dbf00900cdbc039b1decce9c5791dfb92b26dbd43dca354f07b
SHA512 cfb48810c07232eff4c792b484935007a273e88aee392628bae71554a09546f52eb9c3f90ed3974bd5b23b64c1a0d844338c6b37f6f607d00365c858686c9eec

C:\Users\Admin\AppData\Local\Temp\ukUgoksI.bat

MD5 5e3d6c7a4014cd2c551e4fdcc3d8367d
SHA1 7e6301e9ac0dcd15c64b96d015b8afa4b90bc0a0
SHA256 f84417d43a8307ef3f3bb3fa053b59c51673d68b404478e7b8d989cedfa8192d
SHA512 e17881b2816b0f3f4032ecf02736a9f39555adf08d2f262e78b6f32713db290172e2dc0c86e8afd77b194ea56968f4e5983f2e7722b0497a76bf4ee086c6c244

C:\Users\Admin\AppData\Local\Temp\cYEc.exe

MD5 22c3477902291df4d140e2856616ee1c
SHA1 64c5de6e5a7e385e128344648d634547fe3bae7e
SHA256 c5a985b7233a12788e5b518212de75c418a87f601717da14977677df41e8249c
SHA512 edfafcdd3b6c85e07d105d7a07e00b1d15adde12343e0cc456ec7d3c46fed9f18dcce7ba3bc7d79e7d320ec5da0d07748ba9271260af8cd4e7fe7a2cad4d43f6

C:\Users\Admin\AppData\Local\Temp\zksc.exe

MD5 456c81e3c4fe8f413281b7cfe01a75f9
SHA1 c420eb3ca6da28c85ae291df2b142c4a5e9b9557
SHA256 3e7293b6658485ee42f14f4c7441382cc13e981b07ffe9cec68db6686f10ce1e
SHA512 d0694908ab1204a292ca83ef7f4065bc5b405b164925a44d58e398559dfe6718b59068d5c275888fd5f5ff33ea0dae3091575e4e7f4e8f26787b6e3cef72766e

C:\Users\Admin\AppData\Local\Temp\QgQYkgoA.bat

MD5 c3f35409604a0ce9e9590f66a9a0b15b
SHA1 4f61c7a3abad8c80f53e9b14e9846844464f0747
SHA256 a66a31cdced435b74d16c10a16b3de4a148974a1fa16292163f67651c3d69b88
SHA512 55ecd50e3e6871ba810f196e9c4190499b481c92b73258ca343673a2176ab1b8ff29cfc83b4723e80abd47f4d518235a7990631851de21f9fb9d8874919d02f2

C:\Users\Admin\AppData\Local\Temp\JCEEEMsU.bat

MD5 b1d32b8e98b11fe9903601045d5aa331
SHA1 bf45da78f7d8d5b4b8adf400d0ccf937b6a85916
SHA256 4801170db6619e06ed6bccbd50ac2903db1b50ef77ea462f54589234c177573a
SHA512 57a4fdbf7a45e6774c9879aaa86023c9fb5d333f67c56a7456f6f2ffb7769840b6a2ec7b33a4d424633b5dd1dd276de0367e55fccaa2590335aa6a0818da374e

C:\Users\Admin\AppData\Local\Temp\YCoAEsIk.bat

MD5 9f1399da875025bd43092835f0fa0dbb
SHA1 2d13dc9953b22e2ff1391c39d584df35a61b61d6
SHA256 f6038f5d6ca8f352aa6717aa9d70a57f4575aa04aaf7599e8fa1b817d830dd02
SHA512 ff8e23c24ebb10fcd2cb8c1ca47c37e07b10ff45db69a970aff59911e03d5620ab5d14b38946d0a4eddb6c311c7212ac4881f48482711ba8e5073b733cf78071

C:\Users\Admin\AppData\Local\Temp\hMYocMMw.bat

MD5 71053c291cc643f59771f88c8255fbd7
SHA1 6291723a456e922f73186291eacc97eea6b50887
SHA256 e904693cb5fe48b9d6e33797e702b93e49bbccfcf89ec3e70525164b5106634e
SHA512 a5b588e4428239c1a40d4776857cc9da7c55a68d82d00dcc2c6761506da7a8292041248ee2919a190000b335540950a9a36baf8151acb94e393c582701b0b015

C:\Users\Admin\AppData\Local\Temp\oOUYAIYw.bat

MD5 32f4b1eac1c1939df16a1fcf50e51975
SHA1 309d7dde13f4b1bd5573ae4a24ab1e0bf72dcf61
SHA256 90860fc87e8980b96cb92a142a23e3b75be416447faae0c03ce202fa6c1daade
SHA512 b151f349260b0b46faac2715997116183bd486e68c40d2aca467889fbdda45c5bea54befc2ff0816a93f9cd463a3742d26c905140bead1c0e54b721f83651433

C:\Users\Admin\AppData\Local\Temp\WwcIEQoE.bat

MD5 d9c5453aaca552cc33cb31469b2f59ee
SHA1 dcf108464190636e9a484482d91fcdb4df63d502
SHA256 fef8e112aaa50d547998b2cae00576982993e6202bdd3741330493de2775a308
SHA512 2fa78a932764f531ac0664691e39e291c1ce22fe3f15f5e0f7c1ad21d080ce9446d9799a7696bf6e07a343503dab2f89cee05aea78b8117758f1f90e09825d6d

C:\Users\Admin\AppData\Local\Temp\RWwIAcsM.bat

MD5 d76f1d779929ab0ae93a0c9b34541bd8
SHA1 87ff84df8bea36648f5fbb72f1ce71beb96b11a7
SHA256 e0045e15e1ff9a3cbb9c2e10c1d16e5119d8ebfd3b21bc849bcdbb5d1916cd7b
SHA512 09c5ecdf5f105c6336cef9e3df50ab2e154d56a95acca84a25463bc5cdbf7e155f8a245b6a359d751a9d1420855a9765f1eaf546f40f3e4bb132f1ab8e890308

C:\Users\Admin\AppData\Local\Temp\NSAgQUkE.bat

MD5 7247da99e0b93b004b610d42dcaa0cd8
SHA1 103823506bff952efb5e4096cbf33c99a756a880
SHA256 e7824d113ecf3ddc63ea00d62c76a1df0d9e45fc7da5fd19fb697c852947295a
SHA512 209ce54e1640a4c616465d6afd87dbcaa9c157bb3a4e57f223f910380f51fbd62776c382b6c4131efc6ded31831bfea9c1ba21911d0d0eed8b01359d879e1ae4

C:\Users\Admin\AppData\Local\Temp\QssAsIkw.bat

MD5 0f1e5ef1db082f57e0a0b5213a148745
SHA1 9aaa83b18c0a3f1cadff7a0f3393fe12e8ea091d
SHA256 dffea5308afd76d69c31a697effc28335536af1f3a7bad60611cb96bbad77583
SHA512 ec91057fd496fbdad2d7460c5d34300c72914adc62d8710bf36be940e8311388f56f288f76306c1fc81fe72cd561d13f344d8b233ae2f9fe99a130bcbf981916

C:\Users\Admin\AppData\Local\Temp\lUQW.exe

MD5 218d9691a45172436db759ad6ca09af1
SHA1 9bc3df1a30d6bf449f5d6755dfbb3fe47ad299b4
SHA256 00ba8090725e8b44de51401b63cf93611b78681bcb296970fb8ca820a6664964
SHA512 935179d39cc173b87f8ef3135fb620cfcb034c1bc77a8a737eddde3f27d5dd24d322089e295be9a6d36dd750e3af9326cd33ba2e7856dd9b9edc1f3369c5c814

C:\Users\Admin\AppData\Local\Temp\cwIA.exe

MD5 d232baec6de266705c07f41544c5b869
SHA1 a1224a92af133fdf0a9bc45167ae3c322b7346a4
SHA256 6a48547c1b23b43de4a444bd14db5d19a898b8634e8f749db94032391d3bca05
SHA512 7ccd61d31c475972c4d87b3264b8e86360e8d4ba07c922bdb48f13b914a0824237854936624741f45ce2611bfe506103e89f259d5a2806fec051fb47a2c77302

C:\Users\Admin\AppData\Local\Temp\RMcI.exe

MD5 6ca845ed334b543a20d5d19816637ec0
SHA1 f3ffa48c4126b473606ed2146104557c8d03dc80
SHA256 149548e2dce96a7fbe40f1d0200d4d993097a944c345a9ddcf4aa701026eb0e3
SHA512 80d405705a1c43cb26c334d8592df3c23f686a3efbe87b5592e6b17b83aa4de8f48ab19419090a56d3477881523377b7d9067607111513df1eeb5cd5c8ad9b3e

C:\Users\Admin\AppData\Local\Temp\Fgwi.exe

MD5 b6af77b9d3b2db9205f6194824ef5a5e
SHA1 85cdf868ce1563a4bb52848a25cff444c9cbda8e
SHA256 a20ec55e22ecd3020b27f16495095a5a9fe528404461359a54841f387ac3f7f5
SHA512 7af68e79abe0b31e083bb8db5cf0d63ea91ecef22f00a5d65d64c3d66ee5de6ba976ff69fca6ed9200426a676956bddc240de0bb4860537c76f9ac02a4425a00

C:\Users\Admin\AppData\Local\Temp\XScMcgUU.bat

MD5 cb6be4d16c55f5319a49abecb828c602
SHA1 3c90976afc564f0deeb8d6bac83220cbddc4d949
SHA256 d4eb665474dcb2a00fc982e0eef619406761becf2f6f6650df12738611c0c78a
SHA512 942470ba31f9b1648a9e32d54141011b84bf1e8a770733969b69d1ba9b35c08f57b411b42e92286641971b8569446bc90cc0212ff2ed5b38a90903d395bbaaa5

C:\Users\Admin\AppData\Local\Temp\fgsU.exe

MD5 f170636a41fb199ae42eb3500b55ea74
SHA1 cd2c9330fd50f901391cdd9f938ed8341a0dbfa0
SHA256 2e2d2abeeba2f5f6ddb2268e03bd75b7b288c0ee7651a68aebdadf89299ee057
SHA512 c6b0cd0ab219bac91ef44a3d38c77071e84406fb353ffbaf4acfdab30d81695dcba4f824b98a33e46f8194d934685dd081450a1c9db7921e79db0948916df5ba

C:\Users\Admin\AppData\Local\Temp\icAk.exe

MD5 b808ae702a09e7b8d77db62ac411ab63
SHA1 d95611e9e23807b117d5475438f4af09b8af80f7
SHA256 55d893469350f6aec94af2eff753916f99167365245336d5b6290e266a19e199
SHA512 330bfd0754c84cc45a73946862dae853c2ed7ec204ca90847d4d22eb24a4e2f9b9868e62e299996002618abcfc0f5db0fffd15aa8d81fb90584004dbea61c190

C:\Users\Admin\AppData\Local\Temp\JKsEIccY.bat

MD5 43276b9b436b8abf1f07b6b541a4ba91
SHA1 78447ae5046235551be9214b82c0e96768df9f3b
SHA256 6b61f7f05af020a6a917a7eaa96fd649753614a05b668cd7d197262f36e51e32
SHA512 a8839d22bcff8e268dedd905997992216e69402ad63a677aed82b5eccdb1d7b4cf3e3c374c136cffb07d4f03ecfb8d7208eff88317cad106581dcdf2ba34347f

C:\Users\Admin\AppData\Local\Temp\VwYy.exe

MD5 c47ceca6fa7a8fc7705bb7e85702d663
SHA1 26d169828e082ab8fc64f295c5c8017c46deaf0c
SHA256 bf0bb92aeff1a51aaa0746d1766d6e79e7f54dd3c8c617fc9ec5a9b42160483f
SHA512 924c56b4ea22b21cbb45d4c63a81ef2bb89e2a303ca7297700392d685b04b2a1aa54f7aff9d0a4ee2cf9ee77a53b6921ec1dd1f65a556b23b251f1d6f38a4440

C:\Users\Admin\AppData\Local\Temp\tssC.exe

MD5 65c3a5a51a8fef5eaf92512b0cba7b63
SHA1 258cc2f88c517099c353bfc18e6d9a61b1c7caea
SHA256 5bbd1efa193961c98f38d143970c231e1ca156cd1e06e636c4f4f79b0668f851
SHA512 7a216bd9a9f960eed0f4d13512c9ce4d1fc28238b7b0d0908548b53dc147dc36ced794dc4e8f0c79a58d738022277c9cea5714097b4f22e795344a9fe4d4541f

C:\Users\Admin\AppData\Local\Temp\BgMW.exe

MD5 756a14f5b1f164e2c5377b4853e6e1eb
SHA1 d9c44f5393731d750fa843ea6c595a39ed073cd7
SHA256 4a037f23269e3c6590118fc1c3d879c61ab17023330b58f7bf74820ecf9ece47
SHA512 7f3c45abda0aefc49bb7f6cad11046db6caa5d400541be9876db6258ddc08c683a2ea69a6159ff031d6ede93c7ccca41edd7d9c1be552c241a7f0f633959358d

C:\Users\Admin\AppData\Local\Temp\jkoe.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\wIYscwQQ.bat

MD5 5a7ecda1400ae953c1cc7ff416d491a3
SHA1 9ddf463fee00ff102f1abfd1e34b0327d7d043fb
SHA256 2e817f65265559ba0307e8bc1e59ad1ec6f04fa4e74f6cf8acd9910b9d802630
SHA512 bddad4b72ce0b9361e26cca0f4fe0515710100208192110f6dc865d32de3be71a9de603cce217fa73959fa0fd95b8d5c841ffad31a23de5f5c165d948f43a62a

C:\Users\Admin\AppData\Local\Temp\loos.exe

MD5 e4ad0a3b540a7d178799c897b9294e64
SHA1 21d4e93b5141072b8b32a310707d129502ae9af4
SHA256 080b9010cbbb5bd92bd3a059cb13e43a9e1cefea15eff7b588db891045ac357a
SHA512 b17269eb6713f29a1b3b870115e3915b1d9bbf87e43bcf39b79b23cf777a1a2354087e4f7a1f5645be2ac27628311f38686edb816f37a697d18ab943bc979b1e

C:\Users\Admin\AppData\Local\Temp\YkQs.exe

MD5 3ef02ea41335b476cff9cc285d9a6b9b
SHA1 d4a2c427537c1967fa70ad914cd06e30d3b946a9
SHA256 e255431145e8e2e14bf0f9302ebb93c40ba82ddfdc9429bd3d4543cdee255025
SHA512 3557efdbec46d668c95769b5ce50a48b2df942b05817c7f0ddaa3a54eb96b2b6454bdfe02d79b73f75629d14f85a65d174ad4111f1440e6207570d46f25b3c7c

C:\Users\Admin\AppData\Local\Temp\AoAK.exe

MD5 564a4263cffeee0306fdd3f06b46609c
SHA1 bae84f560457640fa4a4ee3b8be7ead16e742dcf
SHA256 410b0e2fa58ad9a6094d5fbd4fb2286b3eb8c5fb06fd84729c247848089edbf1
SHA512 423ff14578b8237a2980521b631e6f82747a3a4f5dd3ba0e4a4aaf750e16179a77d5b8586fefd11501dfc50d891bd1bc4b2ecbe932430e3eefd00eb9671c3309

C:\Users\Admin\AppData\Local\Temp\mcsk.exe

MD5 1a60ada738038d94e84783febf6b1c13
SHA1 c512b545182517d62520a36bbe2092a7a972c189
SHA256 8c19fcbfa6a784d0493d3d64b0c7f8308e5febdbf6743bf927a5f5e87e5a4cfb
SHA512 e22ac44e1feadad3b820065dc074db64f77c388169ed9636a8a3b74e8481a3abeed6d6dc31ba7e38878cf2d1ab44fd67ae238b4d2c0a271a54d629008a637ce4

C:\Users\Admin\AppData\Local\Temp\Hokc.exe

MD5 75077b62291c2c7ff48db026fa5cd689
SHA1 ba5e179a11bd8a115d9ac04e03092d0f8446e99b
SHA256 0f5d6948dec869b03390d6322a50dde9045bad1204e9fd05305d4e13fbd19b72
SHA512 d341a10cebabe32319dac2580aa257144a298f38b7563aa734e5523cee1ac7211ae6663342cef95ffdafbee95c07064e7b89a4d0dc29f61d7e2f4cd63fb15379

C:\Users\Admin\AppData\Local\Temp\qsUE.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\gaQUAYsE.bat

MD5 96adb89666f4206fb06691912d14ee6e
SHA1 62fc72b6e7890b849232317a361d5df3ed5f07ce
SHA256 b9e284b4115c4d2221c138091204300e9121c698164ff191507f5c700a199b82
SHA512 018677023bcd4e2612b7a97a67b663bdad2748bc178d6a2ec564ccc1b9e23e44e8ffdbd5e9ae314937d58d486ab5314aa00001a085bd599cf82564cc96a12322

C:\Users\Admin\AppData\Local\Temp\yMwm.exe

MD5 508fc9e4d146a9bca75e74cd902c994f
SHA1 38cb14c6a06979998e4256821b3a6348af60413c
SHA256 8c320a8a220605d9c7c2f23b8102e419a08966382cf076d27ebf40c3950b88d0
SHA512 65471af08fb28a39bc8191e9e2ddb6616d183655087320ef367ef87b4834394f771cd03f97f9243d6c67619100f1410d1118728fe2826cd79f4826fb255ad688

C:\Users\Admin\AppData\Local\Temp\ZMwo.exe

MD5 fa98ffd6c588a28ff9d2bea77d8e3001
SHA1 3c87db3d1909bd38b9b1fab706f8b2cce76ce1cb
SHA256 cc37e413757d3dd87d46c9094b07557f0f99f0980def8b412eb8474a596fc5b4
SHA512 d5a9252b2cfd9bdca16d93e8114aa1bf7eab1d3a3c402eca57bde61b5ac1a90c60063a521e9b0d70e83c9772f1a77a4c38156ab47df0bfe33bacf037fcf31c28

C:\Users\Admin\AppData\Local\Temp\SUky.exe

MD5 da82ae624a2022aa20b4cf66afcad8dd
SHA1 5a98a288343ab53c5075a35d4657ad9110b64242
SHA256 e8be48c293e0b7a6e816d633ea3131c0ed51dcd53a01ec05224148dc6af54d79
SHA512 e60602196b39ad3884d2e7eb825af49c618ed264621a7cfb30856b7c432a82043974d89a0ae13a5d84f84e09f20f96aba9125b522e0b23d6406a07beeb308a8b

C:\Users\Admin\AppData\Local\Temp\FwIK.exe

MD5 358f761224aabeb5e78e67d3e8a2430a
SHA1 30924275c1346d90250abe6941dd95b67f8889b2
SHA256 6ddb236faa30ea64638532b418735b32318619ad9c17aaf49b6d1196d2c1dc93
SHA512 f81a1c332149c26f9774a35e68a13f743dd5909182f7f7701d00020de2172f8741f92a574ddfdad66da95091a53128f8110f111a63aa1bc802efd54fceb29a87

C:\Users\Admin\AppData\Local\Temp\lMUY.exe

MD5 040f91c402d2bb41988482952ae18fb9
SHA1 9147f615d221d26fc0edcce2e2b98f92adba4528
SHA256 29c6d9d76ab8d7a8a992cdab60b4ee52615da6618ffb8cb8248ab1fa84c75b71
SHA512 1e922091069e7e07823ff30792e9d3cc61fae7f4a220dd2ecfb0a3fa0910f42be65ce173acdd8b7d851411ec8e7ff5241afeb8e8bb2e3fad4a6d32d01b9f0f26

C:\Users\Admin\AppData\Local\Temp\kywwMgMs.bat

MD5 731316dca62fa1a5c5b9300e97e396f8
SHA1 a686f804c6543cbad9f4144b7218121f001bb70e
SHA256 d7de21116e31d461efeb1407c0f8a86849346e5d6f508a2d5617b1efb98df29b
SHA512 4466091eccc7fbdda3d00e6ad56c17817229d23ade07e06107f5738089ee32535c2c91afca1561bcad25b19ad4854c54ef30bd9c5dbad51d928ef57e420f7c93

C:\Users\Admin\AppData\Local\Temp\HkQA.exe

MD5 b9ccd1fdc331c2c9e940810bba29d036
SHA1 54a8f934105c4f53508ad3795839fdefb9a454c3
SHA256 efd00d04b7aee82aea68968e161211488cecf146cd62ed5faa3c633a815f600d
SHA512 8629b512b3cb3776116d1ab597f7f95aa24834a37494da55367c03bc44269d2fa8c17ca39584dbf4ae047d2f24f0098890d16105446589fbebdfba4df596f9a1

C:\Users\Admin\AppData\Local\Temp\nsYo.exe

MD5 a6c494370b02ff66967e033add9a2002
SHA1 937262a5ea70e09932372ab7a54fd9b5d0fabcdc
SHA256 339547d7d677e3c4e97bfaa4f7691659b116d5564d8e5c186a4f4c5fa89fefc0
SHA512 b0e205aa01e8540a2aa223bda683accc14deb4841e17039c42c6ef8613dd1f7cdf47fc19f5e670d41b31aa39e2c737b45f1d74d021a0cd08f38de04adf3a14ea

C:\Users\Admin\AppData\Local\Temp\RMEi.exe

MD5 903a37a5360926e313e6e9325669d819
SHA1 cc28eecf5f298efcc24a50ad4cd0f9f19426c868
SHA256 c74b31f33cdbb9929f8e6e21653af5836de8de21939852a83e0242e980ed4e49
SHA512 b8cd6b2da6467cebf71359ff527563b5f1b557f3824346c2bdbd60f9413d3a51b352625d5fb01301fb32ae9545b92b2c263ad79a7f4b775dec5090565325940a

C:\Users\Admin\AppData\Local\Temp\hWAAQUIs.bat

MD5 bb0982485a3f9250acc56dab1a6cec59
SHA1 5a009178c85d9deecf671b52228d89ff83bdbcdf
SHA256 1de2ba8184beb1efc027d7bd7dcde648e177e34e7045ef3eef4d6cb9567a2d3f
SHA512 35e9a55e2e4aadd1e750d00f97213072e840cbaa1368b500c801262358b7b0191f6746ae7907e8cecf18225f9aa0ec62004431b118340a8441d7c1210a061c69

C:\Users\Admin\AppData\Local\Temp\doAM.exe

MD5 977c1285a034dfb6535c631ef0c726a9
SHA1 47c43acdd6a5d675eca573a35fc9451ce3678937
SHA256 c239d1a87dc863479ac3e1db193eace142bf2b12f72927338873c247eb925a31
SHA512 02a0dc5705d9499b415e3df1cbf0223fc54607491e31c9880e9fc963c2adaf2112a0fc571ecc1b3874e30dd86af34d87de408b550b11d6ef8570a608b4426260

C:\Users\Admin\AppData\Local\Temp\QYoy.exe

MD5 de5a24c5e9d13c46aec3545cf7161438
SHA1 b4e9e94847830b79523b6e5fff919bd99ab03740
SHA256 dd7fa3ca53c61738a4cb615a3e6a0c3d2d198fe9a0e79f140f6b10a5b3f13713
SHA512 93424e268806abaf0c44044029cefaf65d42cd75443d6c7faffdd9c2f2018c13b90aba99dcab2aa1cccf644a27ddfbbc899444975dd817cdc93abbe9f85d74c8

C:\Users\Admin\AppData\Local\Temp\VcAI.exe

MD5 d1bb1be552055514299e968d6883efbf
SHA1 bafda77c2f49136b87c7d7814487287ae797987c
SHA256 c76ce2d44b3edd41304438656f2163c897ba2fe761691fddd55d7b5d6129f067
SHA512 871685c1a8b954ce188f2ec7c320091c00618d1af1620b31ee56575ba66358b71e0e5a08d8d595aeb351a4451e7da54e288b1c5f62e89f8505d027b54c3d4215

C:\Users\Admin\AppData\Local\Temp\cQws.exe

MD5 3a62c4280c6783196798d273fe50e1e1
SHA1 fe3c507556fce7dc0caec31e173203a12d38bd3c
SHA256 eaa4e77b247bd97cb9c7ad5625896b5e160ea6aaf5ab80dd88ac5ea0d007c84c
SHA512 91bd685cb2b5eebb6a99fc9524cdcd142156bbf490c6c33a53cc4eb1a4588e1918161520cb30dcab6cc1c1f1d6a2a8e091095fc939af2db7880df3706fddfa4c

C:\Users\Admin\AppData\Local\Temp\rEIo.exe

MD5 3965e51cf5ae2c501a21176bc3a310e9
SHA1 09dbc772630627e637ab36652009a8fe21c9fdda
SHA256 53fe8330221139dcf029b32fca7be7d13f22416c3676d71f4ee6fe4b7645f9c2
SHA512 56950c12a6f3ed7cfeb7d1a5ad426a8c7db79f1aa72f531c6434b6a3680426583c82c27bbb196ed92958895bdc4d73feb417258fe08374dfe7699e62d5e3b5c2

C:\Users\Admin\AppData\Local\Temp\Ncgm.exe

MD5 df7825b927639aff8d80bae3b78bd991
SHA1 4cd506e82e9dc4835457f0d96a178e3584c07af2
SHA256 415f2fc6e0edb3a45a5854c6fafa8f85247e9973976cae51a4363a68b089db08
SHA512 24be8d4fe82e142620b29162f82006735e1d94ed0930a378fd6eb7532094ea378f423aec60a7423732f65c71f9872ae510a514ac0e8775cdbfec87df58470d92

C:\Users\Admin\AppData\Local\Temp\sIoi.exe

MD5 0402fdd0a7516dbb2c329a5953a37c10
SHA1 f21216a2fefe6028f741a2ec26036ffa90d39129
SHA256 5a2d9b6ee781fa2404f68c1eac04599a2ea6ff043e6e203d812ccd06e6f32e45
SHA512 2f0765fe661b762db9fa8426ee886d2b11139f5e9f410110bbe3d9e9f1067842a94bf988e7e40752dbfea6587b02dea2706e53d78d1479b1f8033d48c85039fc

C:\Users\Admin\AppData\Local\Temp\PkAY.exe

MD5 27bfbf125acb81bc536625940b53fa0a
SHA1 5d0e5e3088ab76bce10fc51b5ff3c446c8d6abfe
SHA256 5438f3c6f63b10c8597c1229f9d21672fba53c67fa8737c208d77c243b14d8c6
SHA512 374d8c61040b8951ba567285896aae728f866b2b91484347208eefdb34900573ee35393f9f2fe0e4a286100d9cbac4e7bf23fd9a971b1653f03f1705dafa76f7

C:\Users\Admin\AppData\Local\Temp\TMgi.exe

MD5 3743d684716996efe9cd0edd4f012e42
SHA1 ad169293f113e2ba026c6370112c0cf227c29c43
SHA256 e1d499161949937277a66598bb08c7f54a8d54c3d01f243507922baf44e1f8f4
SHA512 e80a66ab970ed5a34d3abb2339c0ae12bd6ac628bf28556f56c401f8f3a26418651a8aea3c46ab4ced3968a16995ada315506ac237e8d6bc9c3cb280a80fb721

C:\Users\Admin\AppData\Local\Temp\YMUG.exe

MD5 044bca5e02439bc642bcf181bca05f10
SHA1 0379c6256522228158a9b80ee23b53a9de1c5c50
SHA256 3122d46f2dfa91716733bcb7320376abb7c5edc4a4afdefc7fcaa8d19aa9ec41
SHA512 11bc039b4b3842a39162041a31b4cf2d4749a652752bc9b2a0fab8d363c209cea4beb64c753571214eb1f199511536f59c8162142fc4738590b523542f30827c

C:\Users\Admin\AppData\Local\Temp\hoES.exe

MD5 c5dd2fd4bab90ec446ddd5cf48e7d944
SHA1 a79c47954666d9ba68f2130214113d13e2bbe6c7
SHA256 c258398c47394e1f694a47ff706d5bbed4aa46e8a0f043e756a096b9d1a5547f
SHA512 a80f36fa1885d310354aed007f1b062b99388432e94a26210a835c1b40f79ac81c8b568fbbfa2ba6e6125a6ea22ce4f0292cd37a746d9f1dda1af0fd0848e03e

C:\Users\Admin\AppData\Local\Temp\mkUI.exe

MD5 5e14273ee5a294009db0d11eb86a03ef
SHA1 113da0b44ebe43d6a8d40bad8763660fafe2afa9
SHA256 432bea7443bd822e702781db9377634e989d195bbdcef637e4ea747e5718af64
SHA512 31a2c4fbcee092b4f8315c737d458dc3258385c10c5afc377377de2148715a6fb1f0a04b6b3d2c24ce79794e4b21e76c160e2dc348c95a0ac8bf0fcf217e020a

C:\Users\Admin\AppData\Local\Temp\RkkQ.exe

MD5 8b5466ec2f64d343a3f11189d5f60ee3
SHA1 9d09cc3833873415574ad7ff0cb38108f7e1622c
SHA256 1c5391e1fcc084ee64522470aeb1ec2be4300603f9e1f4102ad9417ca68d971b
SHA512 3f7b0d4e286527846e14d28179b9848aec0061d62222a94b42f0eee087d95ce8fb6f5b3267b8d9851ece15b4db31d00a427767b033abaf5780d74c8357584d2b

C:\Users\Admin\AppData\Local\Temp\aQAM.exe

MD5 c45ba821835fc1bbcfe4dffb2a0fa95c
SHA1 c463aa837dc66282da66193dd7237ea33d8b2453
SHA256 b8618328ee0a6571d8378699089477f0f8a2cbbcb9daf5c1bc511fb06c9e8ca8
SHA512 68dd0e5e94d5ab6e10742824d08b804c198cb7827d9648c199c24cecf84c27f6bc6065d34f66c6ddbd909ba61ccb30be8befba4c27245cecba1731a78ba93a4f

C:\Users\Admin\AppData\Local\Temp\ycIw.exe

MD5 e84409e375a236e765d0f11a9331f273
SHA1 2358373bc90465aec90b935d37ef322027070b03
SHA256 d2eeaf464a0f2af710207a7020d9a148cd719baff789d407e1b51410b7217d5a
SHA512 40a1d8dca82fdd3749cb78901583d3c974b3557bccf59ee9891b1957e34d517be369adfaaf5d7a876338880b90b10578454a0de0116baf4839d26a141b6a7b5d

C:\Users\Admin\AppData\Local\Temp\kAkI.exe

MD5 90fe680679bef8487509fbb382d29057
SHA1 7dd92d9bfa3b734c9294a3f04b5e9f7dd709802f
SHA256 7ea741dde028b0918ba52418cd3f13869b0154c1f76d65a2ba447706c36c68ae
SHA512 4082a8ac8376223a634432f79b878cffbc158a81b08e450ccc7dc25407aaa62a58eeb8d6c85b90db81fec91ae1b8ca46e8184eb7b36e5bc7199d737f22039b4c

C:\Users\Admin\AppData\Local\Temp\RsYO.exe

MD5 fb0fd87653fad90221197c84ec8b1fe9
SHA1 2fcdf535c6fe62607db5238464fa7ae03bd90bd9
SHA256 1d9230a919d8ed6833892700896655bed1ad285979ff6fc383a235545f6680f2
SHA512 4457ca20dec9d48e703d72898a0648dd773099013a3923fef2537278a61e0ff85b32a30e0b03ac4ca6fd1978085e5d029ac3668dc93957090539fda0e6ac7e80

C:\Users\Admin\AppData\Local\Temp\xAcY.exe

MD5 43ea88582678f47ce74295109419bf1a
SHA1 058327a7697268100e741c19f88e08ac82ab6956
SHA256 695c103cce36d8eacfcfb9edf27f909ffb57f0fcd8de2328bc325e917225d791
SHA512 e344fa793715b6c4286abce59c1e2b0c852e0e953b19e1da2bf0216d39b6c982077d30467dc3ce3a52dc3ec463623e5ff75bc13aba81626604078c1f7e1b45bc

C:\Users\Admin\AppData\Local\Temp\kgUS.exe

MD5 557d07056c3eeeb8d5daaaeddf229169
SHA1 b47402f1eb4991257563599b34a023ef4abd7609
SHA256 90ae1c2594b8ff42cef48ff3b289c5d275ca8eac123ac7ea729ebf78aaa51e38
SHA512 66ae36fc018083765385a6c560687de83465c78764819ccf9444a4c0ee269c18e855b6ebaaa0cbfb9d1c8f2f1cac0a1f47209baba6b1ba792b3f7c3a70c8c27d

C:\Users\Admin\AppData\Local\Temp\wIIS.exe

MD5 b49e1c724a6aa65a98fc2c1479a8c021
SHA1 1e91ef127999f7fe5504316ca992f377513b2466
SHA256 5763ffe2c84cde4be2176ff6677ee569381e27f72d8980e61128a77cf6467b48
SHA512 e50502da303b69fd90d39d7f7c7653491467f2a8d32d41a86238c9cad530d779b0b42630b54c24698b18583a12f285cf238976e438bedbdb27763c160300423b

C:\Users\Admin\AppData\Local\Temp\yosU.exe

MD5 52a75fbeb1209b2c6e60b75dacaa57b0
SHA1 e14abcc7372c1e67494d891bb5d16b95a48b9b17
SHA256 11b25809c20f50ede89e57fb1320ec438fd91d887fd6d54a7ddf8759890fa6da
SHA512 0d18ef403565ba296cfb3536655c8aeed59b266b8474870526d1d4eea5973d07128704c67e039aaaa90af41c0ed0b196443650859bad4ca221ad541b4bc93605

C:\Users\Admin\AppData\Local\Temp\FwkM.exe

MD5 e5e6f247df7a12dd09b65a8eec7ce99c
SHA1 748123280ca257f4ddbfa22f4dfe183f2e6ecb89
SHA256 0ff25eec18a9891269206cd22ea8610ef8afd211dba38cab9b4bb9a1ed8f2ff4
SHA512 c4d727e7aba78376c60794b7205a45647e234b19431085baa94cf1ece7e67f0704b00042150cc8b4fc1a30b7ec526cd92be7045801728c3ea9c9c3b369cd7fd3

C:\Users\Admin\AppData\Local\Temp\PgMq.exe

MD5 c9a298e2e1303a8d68a6bcde05196b7c
SHA1 886a2ae5267e5917f38822d18dc5104315a713e0
SHA256 6411cd483e88361e05e226615704d1f7b41b302e587d0b1984c5e3c85454503e
SHA512 265a4d29d474f297175316873f63f163cf3d3a3ab1a7f95dfe6b2888c10b2bea65f6cb325bc0c367787dd2945d04ecaac01517aba1f44f20314fdb8985f53231

C:\Users\Admin\AppData\Local\Temp\HEAo.exe

MD5 c2da55ce2133b8051bc6a885889bdb23
SHA1 8a2cbb49e8b53eaa9e4f6d5ab2b2ea47e9d7369d
SHA256 53ea44019fa21b502a382e5b05c43747df845d10e5fec1caf2fb2e135865ad3d
SHA512 24efa5399c45e5eab02e65076163774cf8bd0e4e17a40d169e65a336668620dfdc917fbb86e92a5e6010bdbbde4d814bfaab4494afdd2ae92c5c77b571713fa0

C:\Users\Admin\AppData\Local\Temp\MsAY.exe

MD5 c73fd7815c8ee929ca2033f3af810658
SHA1 48387a6d90b323ed23762765b07533d5ba731fb5
SHA256 17ff1f6ad7a271e4d82592bcfb4de047cb30fa0506ed372b139994a2cc2bf184
SHA512 4550d235603da07e26531aa5b484b2bb08f3e04e6f65d607a75f9a276e2322d9e16728c15629ee28daef8bab22857710cbf48a91820ef18f82b673cf792c3e00

C:\Users\Admin\AppData\Local\Temp\jUkA.exe

MD5 d530dc5f18428acac52fda7d350ea5bf
SHA1 8bfec836c0e48f39d1cec097785094116c708a74
SHA256 296dbe8d6c73bb45d0b761ae121b53f206e4eeb74d3656d90dc1da9fad8284fe
SHA512 0ed82d0b85c34e73648f3b54f01e787798ccdf70430f6adc2b95367906e8b9cf5e1b4f5bd0f97b1b6355aba9eb35924a3fd3f3184b91d269aefc643f9f5796dc

C:\Users\Admin\AppData\Local\Temp\ZAsM.exe

MD5 b02721f41ad59bce5e6207d2866f3b13
SHA1 3582218aa281234d79a0470517f4c3ffd8be67eb
SHA256 7b3c991a41a5a0dbb8a8d8f4ba008040d381827a5e762d30ac74845eb2683604
SHA512 544f66ee2b087ecfe2ac7bd9e0827464351c7c9569fbe99056a282a593f811cbdea9fe542ec6d37968b80623df16fd87ff9f328ed290c4e81819fab4c69cba05

C:\Users\Admin\AppData\Local\Temp\IQMu.exe

MD5 ee0a8ecf184902965a19d9a2a34159b4
SHA1 869ca210e8b33d67e82a12a95728c58d411566ff
SHA256 9b473a994bddfcc155903700c50c0603215ab73378b7a09e819ae4bb475ce725
SHA512 46866ea277135d874fa88f3c43703d232fef24806a5ad952fa5ffbff0a62f0306f600150fc39692b62aeb285ad564472e021f4bd0e85a6964b87fbd5bdc1a992

C:\Users\Admin\AppData\Local\Temp\SAcg.exe

MD5 e6bde3f071cd8ea8f2c1c456d5d05793
SHA1 9d53d1dc542ac55a1598603efa5e404064a2b28e
SHA256 d1cf1e15c44a130d869e839887848884c1d790ba1f9cc40773a045ef7a7d3e4b
SHA512 84cd7fba68c9218e0dc658173318ed72cedd1996a408b4b86a43763e42364e4aed6dcf87206bcc154d4854dbf2a872ccda1d905a3e9f8da52493c3797570d1bb

C:\Users\Admin\AppData\Local\Temp\QgUA.exe

MD5 875b4dd0d6e1c298073f1fd2c3b68f68
SHA1 ba706ba51f2439e4fb507f7ebb7ac0a52ae02810
SHA256 d29b714dfb5230610934f2512c396fa2bc46a01d2796a57a895cabd87ec2e162
SHA512 0ce37e25f50bbc61e203b64338fca180194d30861e9093360e3a2a5c16bb01aa1b7aaaec7e843a9693ecc37040139993be2b4f407d5ba40fea9b2b04f184bcbe

C:\Users\Admin\AppData\Local\Temp\SwwY.exe

MD5 2016204b2f93448949f8712682bd97ea
SHA1 a1b99c8ba777a4e6cfcba977522d826808932ce7
SHA256 48534eab8d476080468cba3895d41d0f9c8c30265323c16eb5d53c40710eb68b
SHA512 125cff89257dd5fea51b59a942f42ea4f6c0ee04f1c3b2923008387f5638748a92db7275b25fc2acf9005a559f61a249bac77e19e4dc5977e9b4fd181b4dd8ae

C:\Users\Admin\AppData\Local\Temp\yooe.exe

MD5 865e9c81755a2cb033a68424675eaf62
SHA1 09ccca9aa347a57c6b05755d95f10cbc922c69dc
SHA256 914cd1fda4f80f1f3827e853bd05c59e223a894f56694922ac9644c81ad691fe
SHA512 9a08132d355754849a08b1205cacbaad59758c18f36eb4d1ae46dd1fe0d64e25fe1748d168745b584ec692dc601dc99ab58ed1d38de7e27a081fa2f4db1ea533

C:\Users\Admin\AppData\Local\Temp\loUQ.exe

MD5 c7e15c6180dce8b48ead3697a65a0a49
SHA1 cbc9bb06c61dfaab2e08aa0940a619d4653b5fe9
SHA256 8c7dc70119687cc67636f47c0481f56cf987eb2bc917571e7a6f4cd77dbf8df0
SHA512 a9a61583a0510a8a1f7d52e02efc25e469bf082fc1ac2330714c2556abfab2c95e0f033902e0b98039d3deff3b92c48072d56a83051194aaa36783c88b03163d

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 a482a44fcae19b8f138b392a9102cf2b
SHA1 3fe27370825c93482f89d2c59a9d3df6d4a010d4
SHA256 1028b7ba3adafb05029c11916100c0bb1dee1b23a8d2282dc526e661003698a0
SHA512 b9435e0b6631ea06c00fea2c05eb698fd02345d67877a1007a3065bdce4db2521a5929d732f2f7d4bcc6fa597fbd43470117001bc102bc0ec317521f5a19eed6

C:\Users\Admin\AppData\Local\Temp\fIYM.exe

MD5 a90ce3559ac3fa64a1d74d1a623fbcfe
SHA1 2c8d617e68c751df899c5ea16371bd1ea06353d6
SHA256 1a55527307f97d79967fddbdab5d14ad90844f0fdc01225690129aed47da0097
SHA512 296491127584a13dd1843d48fe22e5bb001251244ed7ac036d85ad35e743596cf7168743c4199b409967ff050bb56180990c8c334d65ba0da2208e1ca77b8fa8

C:\Users\Admin\AppData\Local\Temp\rEUc.exe

MD5 9cc22918a5cd3ad50ca75b1ca3893970
SHA1 559a2f9a2e2345b6e5f9c6a0cebaf3d1aef5d45f
SHA256 cd123d663c765ad9a301ac474ab764394bf375a8d0dff3e030af9393bc6c211d
SHA512 730801c6c2d2db87d5cde8a2f364f3d147b7b81385443c4357fa6a6da2b999ae6f2fa95f4c7601f0bd0af894e2193391313782fca362c135a12dcea25ffdafda

C:\Users\Admin\AppData\Local\Temp\nIYU.exe

MD5 c64e739c962dcab3e4bd1597ee30784f
SHA1 e31357751f2e021c7bed6e4a750b7c1d6d77bee3
SHA256 6b44a998c5b7a7de4191fda937a0c42bab6d2d0e782d8cee712bf29e943b2f27
SHA512 90ca309b84066bf6b919094e424ec1f76a2f75483a46c2449bc6a992b36c68b5f08b8072d580bbdded9ae191fb11341badc58a121001e5c17c7e6378c18b6ae3

C:\Users\Admin\AppData\Local\Temp\tksg.exe

MD5 04eba3674ab0a99d804d82f3ae370ac1
SHA1 23cd80e58b5178947a9c6aaac42c23298d1f40a7
SHA256 8f1f751299d4f8ca873e3623b9b3e7d67d782ade81ca3975041426f44faa8465
SHA512 51b0cbca22fb7f36dcf044965313d28f57054311c7a5842db1a2b6ba63e2e662857752bbe4947de9c3a944e88fb3d93b62eec11afdc716818d22cd3a4d9863b4

C:\Users\Admin\AppData\Local\Temp\CgEa.exe

MD5 43bdb92e48c1cac0654e9cd554ff156c
SHA1 1f8a1252443844feddaaf99a7d437f5c4f4bac6f
SHA256 0ccf13786b2cfcb3f3b379f586ca64d04c881c832f956bd53d2ca2478c324076
SHA512 a8745c5b0528de4f4c5d71ea6d6c52487bcda6f405ce8f0cef9a95180f6f9015141d00f9c684a3608dd85025b6768b0e073f678c735557278a8d0dc90896e845

C:\Users\Admin\AppData\Local\Temp\PsAM.exe

MD5 e977f5ade0fa0be6f982421f1cd1e3f1
SHA1 91805b5a73126eb94b787190d34e5fd532e34fc0
SHA256 c677784211b364281dcce9b21672128b0a14ec97bfae8de0a06ab05b5ed5b54d
SHA512 13cc12e58890879ddc0365e500c061fa65d12c788c6ace73fa97150046d62529d18905ef76d4702ab2cb1bb315e17b8b336f201c2833ca371632d516043225f8

C:\Users\Admin\AppData\Local\Temp\bAgG.exe

MD5 c98569c6f691d060c2eb6910231ed879
SHA1 49d9ce80a14283c29de1fbe6cdca1d79eacf9063
SHA256 3f2cec56eaa13a9148a49029ff381bb3a8bc17fea331359268ccb46a3eb9cca2
SHA512 6dd60b37beff1e52b9bd23df5401140af443cb85b7d38349d576a1e898b9e6c80c15f25489465663c2170188369741f204aabb5bdb7af8dc607c174e23b5d20b

C:\Users\Admin\AppData\Local\Temp\yYQS.exe

MD5 19e882e808f67438b0a2d46d35bb4487
SHA1 9d7aff5aad80f9db837432673c84ee944600fb5e
SHA256 9c889d0a7bc06d405f6bca6267da4a1c1d7ea326dd10310355d68aaf43f938cb
SHA512 913779ea3640b04c511cd3f1a305c6ea9d4fde30708698edc33a152164f4eaab5e4dc9430e57376299df820d1975effca75c984bc1c44ff24070041d04d022eb

C:\Users\Admin\AppData\Local\Temp\bswM.exe

MD5 35e33b4e417a0f32f19447d33506d840
SHA1 9da6e35e5207ef85fb1c8de385d35aa3b879a6cb
SHA256 39d58c4c7e309a0fb75ae9e7fd7efb0924cfa4957ddf02d721605b8bd7800bb0
SHA512 88adc2e546d3075403311074aaaaf503546b6368fe8fdcb179c82410ec5085e7dfde024b1406a97fe536424008b19e25a1b8308c32103bd7a8c62bdf75b12423

C:\Users\Admin\AppData\Local\Temp\NskK.exe

MD5 7fd9fc55d83cb24afc92eba01f617787
SHA1 664820a9e59e5a14692155da28a5452615b9353b
SHA256 7b065fd8f3f2ee316b4bdfd3efc97b481904501beb9f5b5836c8de8cb07f1103
SHA512 ead3c9346fe770eb00fb244ef79c443a8914d3babb86f169deeb5cf0b513e2c22aedbe83cbfe9abe9424d4d942f58db2495de4c6043f5413a26f2033fe01e51e

C:\Users\Admin\AppData\Local\Temp\aogq.exe

MD5 149146e6e30c0e0031dd41a6fe2a777b
SHA1 37a6f800df3684c62b419d71cc72cb632e869e18
SHA256 1e3fd6454782b4896daddd7dcdd2f4c67acf23ebb4cc9baacee0d14430f7db1e
SHA512 911396d8c5ab5b04c78b32b7073f03f405ad6561c7d915aee81824b62459127f78bc6bd5c87ad004b783c12ead8f447f68aea4c0c9955d9c1174233a342015d8

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:33

Reported

2024-04-06 21:36

Platform

win10v2004-20240226-en

Max time kernel

3s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

"C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keggsYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCYQkgAM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omkEUwcg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecYYkIgw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwIQAIok.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUkEQMgg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyAAYMEc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
DE 142.250.186.46:80 google.com tcp
DE 142.250.186.46:80 google.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 46.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.114.220.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp

Files

memory/4780-0-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5112-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4476-16-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4780-20-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEcAYkow.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3592-30-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4476-34-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ViraLock

MD5 76e08b93985d60b82ddb4a313733345c
SHA1 273effbac9e1dc901a3f0ee43122d2bdb383adbf
SHA256 4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89
SHA512 4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

memory/4524-42-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3592-46-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4524-58-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2112-55-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4216-66-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4216-83-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4048-91-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2480-95-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3500-115-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1508-119-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1840-128-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3500-133-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3472-141-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1840-145-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4048-107-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3472-157-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1244-165-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1768-169-0x0000000000400000-0x0000000000432000-memory.dmp