badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/enderware/Deskbottom[.]zip

Analysis

max time kernel
560s
max time network
584s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
06-03-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/enderware/Deskbottom.zip

Score

10^/10

badrabbit infinitylock evasion persistence ransomware trojan

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Modifies visibility of file extensions in Explorer 2 TTPs 59 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 59 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 64 IoCs

Processes:

pid	process
1232	9955.tmp
1388	[email protected]
5560	TAgIQwEM.exe
5904	xSkoscUM.exe
4772	[email protected]
2748	[email protected]
4604	[email protected]
5908	[email protected]
6048	[email protected]
5896	[email protected]
2900	[email protected]
1924	[email protected]
5932	[email protected]
6048	[email protected]
5408	[email protected]
5932	[email protected]
3028	[email protected]
4756	[email protected]
840	[email protected]
1772	[email protected]
752	[email protected]
104	[email protected]
1884	[email protected]
1040	[email protected]
5296	[email protected]
3028	[email protected]
2400	[email protected]
2900	[email protected]
840	[email protected]
5292	[email protected]
5164	[email protected]
836	[email protected]
5072	[email protected]
3792	[email protected]
5992	[email protected]
944	[email protected]
6080	[email protected]
4380	[email protected]
6460	[email protected]
6756	[email protected]
7032	[email protected]
4756	[email protected]
6288	[email protected]
5760	[email protected]
6840	[email protected]
6792	[email protected]
5300	[email protected]
5244	[email protected]
3688	[email protected]
6908	[email protected]
4772	[email protected]
7028	[email protected]
6740	[email protected]
6000	[email protected]
4628	[email protected]
7040	[email protected]
6928	[email protected]
1924	[email protected]
6172	[email protected]
6632	[email protected]
7052	[email protected]
6864	[email protected]
3540	[email protected]
6400	[email protected]

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3208 rundll32.exe
1980 rundll32.exe

pid	process
3208	rundll32.exe
1980	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

[email protected]xSkoscUM.exeTAgIQwEM.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\TAgIQwEM.exe = "C:\\Users\\Admin\\mAMYgsUw\\TAgIQwEM.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xSkoscUM.exe = "C:\\ProgramData\\nGMYQcUs\\xSkoscUM.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xSkoscUM.exe = "C:\\ProgramData\\nGMYQcUs\\xSkoscUM.exe"	xSkoscUM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\TAgIQwEM.exe = "C:\\Users\\Admin\\mAMYgsUw\\TAgIQwEM.exe"	TAgIQwEM.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

175 camo.githubusercontent.com
180 camo.githubusercontent.com
9 raw.githubusercontent.com
33 raw.githubusercontent.com
171 camo.githubusercontent.com

flow	ioc
175	camo.githubusercontent.com
180	camo.githubusercontent.com
9	raw.githubusercontent.com
33	raw.githubusercontent.com
171	camo.githubusercontent.com

Drops file in Program Files directory 64 IoCs

Processes:

[email protected][email protected]

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_af.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\am.pak.DATA.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Sign_White@1x.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_bn.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Locales\zh-CN.pak.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_ur.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\bun.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\selector.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-tw_get.svg.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\AppStore_icon.svg.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\selector.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Sigma\Social.DATA.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_auditreport_18.svg.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\qu.pak.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\wns_push_client.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Locales\devtools\de.pak.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\VisualElements\LogoCanary.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\MLModels\autofill_labeling_features_email.txt.DATA.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsiProvider.resources.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\az_get.svg.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\qu.pak.DATA.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Installer\setup.exe.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main.css.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ja_135x40.svg.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\MSFT_PackageManagementSource.schema.mfl.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_te.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5	[email protected]

Drops file in Windows directory 7 IoCs

Processes:

[email protected]rundll32.exe[email protected]rundll32.exe

description	ioc	process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\9955.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

[email protected][email protected]WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[email protected]
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[email protected]
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[email protected]
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[email protected]
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2392 schtasks.exe
4972 schtasks.exe

pid	process
2392	schtasks.exe
4972	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEmsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2930051783-2551506282-3430162621-1000\{E56D7586-80EE-4EDA-B628-9346956CAD24}	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2900	reg.exe
944	reg.exe
1548
1032	reg.exe
5480	reg.exe
5136	reg.exe
5296
4772	reg.exe
6928	reg.exe
5728	reg.exe
4628	reg.exe
840	reg.exe
6248	reg.exe
7104
1704	reg.exe
6572
1468	reg.exe
5480	reg.exe
5852	reg.exe
7120	reg.exe
6664	reg.exe
6164	reg.exe
6264	reg.exe
6792	reg.exe
5492	reg.exe
6796	reg.exe
3112	reg.exe
2932	reg.exe
4980	reg.exe
7080	reg.exe
7164	reg.exe
6016	reg.exe
7016
7160	reg.exe
2900	reg.exe
2516
6504	reg.exe
6612	reg.exe
6976
5624	reg.exe
7048	reg.exe
7024	reg.exe
6544	reg.exe
5808	reg.exe
1996	reg.exe
1184
5072	reg.exe
1624	reg.exe
5164	reg.exe
6612	reg.exe
6892	reg.exe
5808	reg.exe
696	reg.exe
5212	reg.exe
4260	reg.exe
6364	reg.exe
3612	reg.exe
1876	reg.exe
836	reg.exe
1980	reg.exe
6180	reg.exe
6524	reg.exe
6476	reg.exe
6488	reg.exe

NTFS ADS 7 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Deskbottom (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\InfinityCrypt.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ViraLock.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ViraLock (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Deskbottom.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

412 WINWORD.EXE
412 WINWORD.EXE

pid	process
412	WINWORD.EXE
412	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exerundll32.exe9955.tmprundll32.exemsedge.exemsedge.exe[email protected][email protected][email protected][email protected][email protected][email protected]

pid	process
4524	msedge.exe
4524	msedge.exe
4048	msedge.exe
4048	msedge.exe
4120	msedge.exe
4120	msedge.exe
1064	identity_helper.exe
1064	identity_helper.exe
496	msedge.exe
496	msedge.exe
112	msedge.exe
112	msedge.exe
2288	msedge.exe
2288	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
3484	msedge.exe
3484	msedge.exe
2520	msedge.exe
2520	msedge.exe
3192	msedge.exe
3192	msedge.exe
3208	rundll32.exe
3208	rundll32.exe
3208	rundll32.exe
3208	rundll32.exe
1232	9955.tmp
1232	9955.tmp
1232	9955.tmp
1232	9955.tmp
1232	9955.tmp
1232	9955.tmp
1232	9955.tmp
1980	rundll32.exe
1980	rundll32.exe
6016	msedge.exe
6016	msedge.exe
5460	msedge.exe
5460	msedge.exe
1388	[email protected]
1388	[email protected]
1388	[email protected]
1388	[email protected]
4772	[email protected]
4772	[email protected]
4772	[email protected]
4772	[email protected]
2748	[email protected]
2748	[email protected]
2748	[email protected]
2748	[email protected]
4604	[email protected]
4604	[email protected]
4604	[email protected]
4604	[email protected]
5908	[email protected]
5908	[email protected]
5908	[email protected]
5908	[email protected]
6048	[email protected]
6048	[email protected]
6048	[email protected]

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

680
680

pid	process
680
680

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

Processes:

msedge.exe

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

AUDIODG.EXE[email protected][email protected]rundll32.exe9955.tmprundll32.exe7zG.exe

description	pid	process
Token: 33	124	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	124	AUDIODG.EXE
Token: SeDebugPrivilege	4612	[email protected]
Token: SeDebugPrivilege	3148	[email protected]
Token: SeShutdownPrivilege	3208	rundll32.exe
Token: SeDebugPrivilege	3208	rundll32.exe
Token: SeTcbPrivilege	3208	rundll32.exe
Token: SeDebugPrivilege	1232	9955.tmp
Token: SeShutdownPrivilege	1980	rundll32.exe
Token: SeDebugPrivilege	1980	rundll32.exe
Token: SeTcbPrivilege	1980	rundll32.exe
Token: SeRestorePrivilege	1468	7zG.exe
Token: 35	1468	7zG.exe
Token: SeSecurityPrivilege	1468	7zG.exe
Token: SeSecurityPrivilege	1468	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exerundll32.exe

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
1812	rundll32.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

412 WINWORD.EXE
412 WINWORD.EXE
412 WINWORD.EXE
412 WINWORD.EXE
412 WINWORD.EXE
412 WINWORD.EXE
412 WINWORD.EXE

pid	process
412	WINWORD.EXE
412	WINWORD.EXE
412	WINWORD.EXE
412	WINWORD.EXE
412	WINWORD.EXE
412	WINWORD.EXE
412	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4048 wrote to memory of 2120	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2120	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 900	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4524	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4524	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4840	4048	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/enderware/Deskbottom.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa8,0x10c,0x7fff9a6b3cb8,0x7fff9a6b3cc8,0x7fff9a6b3cd8
2⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
2⤵
PID:900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
2⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
2⤵
PID:832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
2⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
2⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
2⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
2⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
2⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
2⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
2⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5552 /prefetch:8
2⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
2⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
2⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
2⤵
PID:348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7208 /prefetch:1
2⤵
PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
2⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
2⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
2⤵
PID:1940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7972 /prefetch:1
2⤵
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7968 /prefetch:1
2⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7276 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1
2⤵
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
2⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
2⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7856 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
2⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
2⤵
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
2⤵
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7660 /prefetch:1
2⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
2⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8296 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
2⤵
PID:6004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8352 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7580 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8388 /prefetch:1
2⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8420 /prefetch:1
2⤵
PID:5728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8688 /prefetch:1
2⤵
PID:6380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8748 /prefetch:1
2⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14234783024971139593,2076397095832970621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8788 /prefetch:1
2⤵
PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\Temp1_Deskbottom (1).zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Deskbottom (1).zip\[email protected]"
1⤵
PID:4684

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\eebb4cd1a65e423c9a0151f38b0159a4 /t 3724 /p 4684
1⤵
PID:4608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\Temp1_InfinityCrypt.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_InfinityCrypt.zip\[email protected]"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {515980c3-57fe-4c1e-a561-730dd256ab98} -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
PID:1812

C:\Users\Admin\Downloads\[email protected]
"C:\Users\Admin\Downloads\[email protected]"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Users\Admin\Downloads\BadRabbit (1)\[email protected]
"C:\Users\Admin\Downloads\BadRabbit (1)\[email protected]"
1⤵
- Drops file in Windows directory
PID:1996

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
3⤵
PID:5052

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
4⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 992845490 && exit"
3⤵
PID:444

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 992845490 && exit"
4⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:56:00
3⤵
PID:3460

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:56:00
4⤵
- Creates scheduled task(s)
PID:4972

C:\Windows\9955.tmp
"C:\Windows\9955.tmp" \\.\pipe\{6D5691F3-B3C5-4416-B5C1-CCD686A0D031}
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Users\Admin\Downloads\BadRabbit (1)\[email protected]
"C:\Users\Admin\Downloads\BadRabbit (1)\[email protected]"
1⤵
- Drops file in Windows directory
PID:3152

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\RequestRestart.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:412

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ViraLock\" -ad -an -ai#7zMap14267:78:7zEvent7986
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Users\Admin\Downloads\ViraLock\[email protected]
"C:\Users\Admin\Downloads\ViraLock\[email protected]"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Users\Admin\mAMYgsUw\TAgIQwEM.exe
"C:\Users\Admin\mAMYgsUw\TAgIQwEM.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5560

C:\ProgramData\nGMYQcUs\xSkoscUM.exe
"C:\ProgramData\nGMYQcUs\xSkoscUM.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
2⤵
PID:1456

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
4⤵
PID:5924

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
6⤵
PID:1996

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
8⤵
PID:5132

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
10⤵
PID:6056

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
12⤵
PID:3556

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
13⤵
- Executes dropped EXE
PID:5896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
14⤵
PID:5836

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
15⤵
- Executes dropped EXE
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
16⤵
PID:5212

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
17⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
18⤵
PID:1032

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
19⤵
- Executes dropped EXE
PID:5932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
20⤵
PID:4208

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
21⤵
- Executes dropped EXE
PID:6048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
22⤵
PID:5864

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
23⤵
- Executes dropped EXE
PID:5408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
24⤵
PID:4380

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
25⤵
- Executes dropped EXE
PID:5932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
26⤵
PID:1040

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
27⤵
- Executes dropped EXE
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
28⤵
PID:5400

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
29⤵
- Executes dropped EXE
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
30⤵
PID:2752

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
31⤵
- Executes dropped EXE
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
32⤵
PID:1528

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
33⤵
- Executes dropped EXE
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
34⤵
PID:1060

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
35⤵
- Executes dropped EXE
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
36⤵
PID:5628

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
37⤵
- Executes dropped EXE
PID:104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
38⤵
PID:1032

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
39⤵
- Executes dropped EXE
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
40⤵
PID:4972

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
41⤵
- Executes dropped EXE
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
42⤵
PID:1980

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
43⤵
- Executes dropped EXE
PID:5296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
44⤵
PID:5164

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
45⤵
- Executes dropped EXE
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
46⤵
PID:1884

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
47⤵
- Executes dropped EXE
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
48⤵
PID:1040

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
49⤵
- Executes dropped EXE
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
50⤵
PID:1624

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
51⤵
- Executes dropped EXE
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
52⤵
PID:6112

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
53⤵
- Executes dropped EXE
PID:5292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
54⤵
PID:1060

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
55⤵
- Executes dropped EXE
PID:5164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
56⤵
PID:5040

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
57⤵
- Executes dropped EXE
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
58⤵
PID:3976

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
59⤵
- Executes dropped EXE
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
60⤵
PID:5296

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
61⤵
- Executes dropped EXE
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
62⤵
PID:1884

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
63⤵
- Executes dropped EXE
PID:6080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
64⤵
PID:6388

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
65⤵
- Executes dropped EXE
PID:6460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
66⤵
PID:6956

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
67⤵
- Executes dropped EXE
PID:7032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
68⤵
PID:6056

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
69⤵
- Executes dropped EXE
PID:6288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
70⤵
PID:6724

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
71⤵
- Executes dropped EXE
PID:6840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
72⤵
PID:6892

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
73⤵
- Executes dropped EXE
PID:5300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
74⤵
PID:4828

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
75⤵
- Executes dropped EXE
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
76⤵
PID:6176

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
77⤵
- Executes dropped EXE
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
78⤵
PID:6600

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
79⤵
- Executes dropped EXE
PID:6740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
80⤵
PID:6364

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
81⤵
- Executes dropped EXE
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
82⤵
PID:6992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:6432

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
83⤵
- Executes dropped EXE
PID:6928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
84⤵
PID:6552

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
85⤵
- Executes dropped EXE
PID:6172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
86⤵
PID:6352

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
87⤵
- Executes dropped EXE
PID:7052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
88⤵
PID:6508

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
89⤵
- Executes dropped EXE
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
90⤵
PID:6780

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
91⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
92⤵
PID:6968

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
93⤵
PID:5924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
94⤵
PID:5808

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
95⤵
PID:7028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
96⤵
PID:1060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:6252

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
97⤵
PID:6164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
98⤵
PID:5624

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
99⤵
PID:6328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
100⤵
PID:3204

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
101⤵
PID:6648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
102⤵
PID:6452

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
103⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
104⤵
PID:6416

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
105⤵
PID:7064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
106⤵
PID:5508

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
107⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
108⤵
PID:6636

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
109⤵
PID:6496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
110⤵
PID:6712

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
111⤵
PID:5760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
112⤵
PID:6944

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
113⤵
PID:6564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
114⤵
PID:6048

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
115⤵
PID:6860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
116⤵
PID:6800

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
117⤵
PID:5932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
118⤵
PID:7056

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
119⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
120⤵
PID:5116

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
121⤵
PID:6480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
122⤵
PID:3028

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
123⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
124⤵
PID:1528

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
125⤵
PID:7104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
126⤵
PID:6620

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
127⤵
PID:7088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
128⤵
PID:2400

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
129⤵
PID:6292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
130⤵
PID:5624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:6436

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
131⤵
PID:6312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
132⤵
PID:6360

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
133⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
134⤵
PID:6964

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
135⤵
PID:7164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
136⤵
PID:6528

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
137⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
138⤵
PID:6232

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
139⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
140⤵
PID:4428

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
141⤵
PID:6596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
142⤵
PID:5788

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
143⤵
PID:6164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
144⤵
PID:2244

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
145⤵
PID:5632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
146⤵
PID:1032

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
147⤵
PID:7136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
148⤵
PID:6412

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
149⤵
PID:6336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
150⤵
PID:6712

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
151⤵
PID:6556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
152⤵
PID:6684

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
153⤵
PID:6720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
154⤵
PID:6812

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
155⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
156⤵
PID:3984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies registry key
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:6328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:6068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcwQQEEc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
156⤵
PID:6696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:1884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:6284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:7124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- Modifies registry key
PID:6016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmEQQUkk.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
154⤵
PID:5908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:7104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:6224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omsAUkUY.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
152⤵
PID:5484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:6128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:6016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:5224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:6168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQkMsIUc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
150⤵
PID:5992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies registry key
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:7096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:6832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwgkcwYY.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
148⤵
PID:2660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:6624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGYowUUs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
146⤵
PID:2784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:6664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:6916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:5640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeYQoAIY.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
144⤵
PID:3112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:6972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:6624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgYQYEcs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
142⤵
PID:4772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:5628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:3984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:6632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:6696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKsIMgQo.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
140⤵
PID:6208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:6368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:5340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:5640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:6700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGIUkggA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
138⤵
PID:944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:5696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:5620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:6196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- Modifies registry key
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYMMUwwQ.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
136⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:6056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies registry key
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:6568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:6296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGkoskIg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
134⤵
PID:6172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:6236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies registry key
PID:5808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:6528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:6596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUUgUMYA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
132⤵
PID:7036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:6336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:6872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:6668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYwUUEco.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
130⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:6888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:7152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:6188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYAQUMUs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
128⤵
PID:6840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:6600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:6888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
- Modifies registry key
PID:6164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:5852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIMIIcQw.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
126⤵
PID:5216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:7032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies registry key
PID:6796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:7100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rocoAQwM.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
124⤵
PID:6324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:6468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:6548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:5512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:6360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dugkMMkg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
122⤵
PID:6292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:6596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:6732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:5224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:5640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUssgQIs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
120⤵
PID:4380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:5692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:6260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:6780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGEwIMME.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
118⤵
PID:2244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:5528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies registry key
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:6500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:5992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muMsQIck.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
116⤵
PID:4828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:5224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:5376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:5728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:6624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YckgwUYI.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
114⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:7116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:6596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:5820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:6608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fewMUwEg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
112⤵
PID:6784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:6284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:5924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- Modifies registry key
PID:6476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMYwAksw.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
110⤵
PID:4060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:6468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:6920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:6820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:6580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:6364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSkQcUEM.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
108⤵
PID:7084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:6916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:6800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:6948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:7060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycMYEMQA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
106⤵
PID:2516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:6736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:6976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:6316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:6212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:5732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMMscYcw.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
104⤵
PID:5212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:6644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:6188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:6676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSIEUgoE.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
102⤵
PID:6112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:6168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:5956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:6772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:6196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:6872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:5576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWQYMYMM.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
100⤵
PID:6940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:6392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:5868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:6924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:6360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUEcwskI.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
98⤵
PID:6276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:6288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:6548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- Modifies registry key
PID:7160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkYsQoco.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
96⤵
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:7032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:2472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:6712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:6872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckoAcMkY.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
94⤵
PID:6736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:6524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:6776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOoEUkMQ.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
92⤵
PID:6604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:6200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:5136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkIggEIE.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
90⤵
PID:1980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:7020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:7016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:6620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgcAIkIg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
88⤵
PID:6284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:5628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:5908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:7072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PakYEcEo.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
86⤵
PID:7004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:6748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:5300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWEogUMg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
84⤵
PID:3496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:6224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:5960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:6496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcgIIIYA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
82⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:5884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:5148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:6820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:5916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqkwQIkI.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
80⤵
PID:6844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:7004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:5728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:5280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:5576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:6204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYMMUcIc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
78⤵
PID:5992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:7084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:6508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:5600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:6432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgUUAMAU.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
76⤵
PID:6924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:6156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:6636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:6112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:6200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMAAowAA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
74⤵
PID:5820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:6664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:6712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:6192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:6740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqMwUIQs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
72⤵
PID:1224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:6328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:6844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:6100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:6816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcoAIQAc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
70⤵
PID:6968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:6756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:6404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:6484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycwQIwsA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
68⤵
PID:6532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:6520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:7068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:7076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:7084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIwowEQY.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
66⤵
PID:7108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:6496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:6504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:6520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYkcwgsw.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
64⤵
PID:6544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:6660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voYksEMM.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
62⤵
PID:6000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:6412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCwMwsAU.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
60⤵
PID:3204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:5836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PawAogQI.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
58⤵
PID:1492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:5664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcUUIcEE.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
56⤵
PID:5576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:5444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyogEEsk.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
54⤵
PID:4260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:5624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkgIEQwA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
52⤵
PID:5100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:5224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmMYUEsQ.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
50⤵
PID:3792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWUcsAUU.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
48⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
- Modifies registry key
PID:5212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQsUkAsU.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
46⤵
PID:5808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaUgMsYk.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
44⤵
PID:1060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:6000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQAYYsUI.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
42⤵
PID:5864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:5280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:5484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:5164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OeUMgYAc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
40⤵
PID:2748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:5952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOUkIcUs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
38⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:5400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGUcEIYg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
36⤵
PID:5280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:5192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:5164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYwcgwoQ.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
34⤵
PID:1388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:5836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:5760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dccwAEMg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
32⤵
PID:1968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:5912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:5912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
- Modifies registry key
PID:5624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoYQEcEU.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
30⤵
PID:5960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:5224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgEAwYos.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
28⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:5728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:6112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUcoAowo.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
26⤵
PID:6048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:5992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:5992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmEcwoYs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
24⤵
PID:1528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:5192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:5492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceAUYQkY.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
22⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:6112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssscwckI.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
20⤵
PID:5628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:5376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:6056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoQsUYEs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
18⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:5912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIgkAsIA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
16⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:5692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgMsUMow.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
14⤵
PID:5728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:5932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWQUYgMg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
12⤵
PID:5888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euUEUYsA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
10⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:5864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:5692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:5144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuwkUcwc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
8⤵
PID:704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:5628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeYoYsUs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
6⤵
PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:6016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOcMQoEw.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
4⤵
PID:5144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:5908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:5240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:5204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:5808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmIQEMkw.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
2⤵
PID:6100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1608

C:\Users\Admin\Downloads\ViraLock\[email protected]
"C:\Users\Admin\Downloads\ViraLock\[email protected]"
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
2⤵
PID:4828

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
3⤵
- Executes dropped EXE
PID:5992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
4⤵
PID:2784

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
5⤵
- Executes dropped EXE
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
6⤵
PID:6708

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
7⤵
- Executes dropped EXE
PID:6756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
8⤵
PID:3976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:3984

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
9⤵
- Executes dropped EXE
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
10⤵
PID:6552

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
11⤵
- Executes dropped EXE
PID:5760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
12⤵
PID:6904

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
13⤵
- Executes dropped EXE
PID:6792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
14⤵
PID:6352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
15⤵
PID:872

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
15⤵
- Executes dropped EXE
PID:5244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
16⤵
PID:6936

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
17⤵
- Executes dropped EXE
PID:6908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
18⤵
PID:7068

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
19⤵
- Executes dropped EXE
PID:7028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
20⤵
PID:5096

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
21⤵
- Executes dropped EXE
PID:6000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
22⤵
PID:1608

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
23⤵
- Executes dropped EXE
PID:7040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
24⤵
PID:6436

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
25⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
26⤵
PID:6160

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
27⤵
- Executes dropped EXE
PID:6632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
28⤵
PID:6456

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
29⤵
- Executes dropped EXE
PID:6864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
30⤵
PID:7044

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
31⤵
- Executes dropped EXE
PID:6400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
32⤵
PID:3112

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
33⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
34⤵
PID:5732

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
35⤵
PID:6864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
36⤵
PID:5340

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
37⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
38⤵
PID:6080

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
39⤵
PID:6000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
40⤵
PID:5504

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
41⤵
PID:6720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
42⤵
PID:6624

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
43⤵
PID:7068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
44⤵
PID:6836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:7028

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
45⤵
PID:5192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
46⤵
PID:2660

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
47⤵
PID:6916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
48⤵
PID:5520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:6240

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
49⤵
PID:6284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
50⤵
PID:4796

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
51⤵
PID:7044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
52⤵
PID:5728

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
53⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
54⤵
PID:6348

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
55⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
56⤵
PID:6232

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
57⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
58⤵
PID:5480

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
59⤵
PID:5712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
60⤵
PID:6752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:6508

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
61⤵
PID:5872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
62⤵
PID:2860

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
63⤵
PID:6424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
64⤵
PID:5556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:6624

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
65⤵
PID:6068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
66⤵
PID:6180

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
67⤵
PID:7096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
68⤵
PID:6836

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
69⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
70⤵
PID:2784

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
71⤵
PID:5192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
72⤵
PID:1588

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
73⤵
PID:6932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
74⤵
PID:4388

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
75⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
76⤵
PID:6716

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
77⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
78⤵
PID:7096

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
79⤵
PID:6208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
80⤵
PID:3056

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
81⤵
PID:7108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
82⤵
PID:7152

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
83⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
84⤵
PID:3756

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
85⤵
PID:6972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
86⤵
PID:1116

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
87⤵
PID:6924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
88⤵
PID:5140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:7028

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
89⤵
PID:5164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
90⤵
PID:6872

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
91⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
92⤵
PID:1876

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
93⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
94⤵
PID:6388

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
95⤵
PID:6184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
96⤵
PID:6308

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
97⤵
PID:5852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
98⤵
PID:6592

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
99⤵
PID:7040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
100⤵
PID:6008

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
101⤵
PID:6780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock"
102⤵
PID:7036

C:\Users\Admin\Downloads\ViraLock\[email protected]
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
103⤵
PID:5732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:5140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- Modifies registry key
PID:6892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEoIoYwg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
102⤵
PID:5572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:6860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:6448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:6172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naEMYkAo.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
100⤵
PID:6976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:5852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies registry key
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:6540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUsgQEwc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
98⤵
PID:6352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:5280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:5820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:6772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgQUUggg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
96⤵
PID:5696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies registry key
PID:5808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:6668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:7072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqgMgIgs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
94⤵
PID:5528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:6480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:6068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSUQIocE.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
92⤵
PID:6156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:6780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:6456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:6328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAAoAEcc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
90⤵
PID:1624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:6068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:6236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwoEEYEE.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
88⤵
PID:6356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:6924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:6168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:6612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:7044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:6432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RogwQYUA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
86⤵
PID:7052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:6676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:6184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuAQEAUs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
84⤵
PID:3204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:6936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:6660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:6324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- Modifies registry key
PID:6248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOkkAUIY.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
82⤵
PID:6952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:6624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:6560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMYYsAAk.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
80⤵
PID:2632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:5820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:6960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:6212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOcsUMMU.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
78⤵
PID:6868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:6232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies registry key
PID:7080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:6836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dasEkUIs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
76⤵
PID:1876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:6572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:6820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:6468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:7020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:6352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUQwcAEY.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
74⤵
PID:5412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:6068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies registry key
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- Modifies registry key
PID:6792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmwIAwgA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
72⤵
PID:6968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:6552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:6380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:6496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwEEYwgg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
70⤵
PID:6160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:6692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:6376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:6912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmkcYUkc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
68⤵
PID:4780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:6444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:6684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:5292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:6540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- Modifies registry key
PID:7024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOwYMIEk.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
66⤵
PID:6644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:6528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:6684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:5728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:6400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:6888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMoIEwYg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
64⤵
PID:6832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:6776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:6692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWQkokIc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
62⤵
PID:6748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:6376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:6928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:6168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWgIUQAc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
60⤵
PID:7024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:6408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies registry key
PID:6612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:6952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkcEEEwA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
58⤵
PID:6848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:6744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:7016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:6628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIcIUsss.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
56⤵
PID:6552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:5628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:6444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:7164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- Modifies registry key
PID:6524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgYYcssY.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
54⤵
PID:6812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:6844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:5664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:6164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:6908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:6224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaAEEMoA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
52⤵
PID:6548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:6520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies registry key
PID:6180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:7144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQEYAMMU.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
50⤵
PID:5808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:3056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:6412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:7164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:7132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:6672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiUUYcYQ.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
48⤵
PID:7024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:2632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:6756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:7120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:6596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiIogQoo.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
46⤵
PID:6664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:6364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:7140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:6232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:6780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeQYwEAU.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
44⤵
PID:6464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:6500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:5664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:6048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:5732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuMAAAAY.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
42⤵
PID:6948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:6364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:5696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:6580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGQsMksQ.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
40⤵
PID:6884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:6208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:6400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:5244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:6896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:6688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:6740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmMYcEYs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
38⤵
PID:6908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:6100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies registry key
PID:6488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:6264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSEQYQoA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
36⤵
PID:1996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:6508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:6212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:6912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmIkYsEo.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
34⤵
PID:6748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:6920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:6668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:5528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUMAEYcs.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
32⤵
PID:2784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:6552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:6256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:7028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:6204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEcsIwsQ.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
30⤵
PID:5492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:6532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:6240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:5712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:5732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teQwEUUw.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
28⤵
PID:2660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:6664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:5760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:5956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMMMYocM.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
26⤵
PID:6676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:5148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:7144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:6568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:5164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:6444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCUgQssk.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
24⤵
PID:5692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:6312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:6504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:6688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQskQoMw.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
22⤵
PID:6540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:6216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:6624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUUkokAk.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
20⤵
PID:6772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:6200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:5624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:6736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:6824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIAEoogg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
18⤵
PID:6744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:6252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:6648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:5136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:6608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmIkMIIA.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
16⤵
PID:2632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:7020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:6528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:7048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYsswUwc.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
14⤵
PID:6396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
15⤵
PID:6360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:6656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:6544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:6644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:6588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwUYgQAk.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
12⤵
PID:7104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:6872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:6536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWkMkQso.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
10⤵
PID:5280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:6232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:5492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Eqcwccgg.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
8⤵
PID:5576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:6376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:6776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:6784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:6792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoAYIoUk.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
6⤵
PID:6808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:7004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:5204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEwEUwAM.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
4⤵
PID:5952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:6360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCcwkIAk.bat" "C:\Users\Admin\Downloads\ViraLock\[email protected]""
2⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:6304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9a6b3cb8,0x7fff9a6b3cc8,0x7fff9a6b3cd8
2⤵
PID:6340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
16B

MD5
9fc575f0ec16fbf950ab44fcc38ea024

SHA1
875572a7f0c02f125b638ffd75dcc7bd146e6ac1

SHA256
2ac3a848717a2b3f6a6c1763a051d092bdc50c71782a8bcb2c4a00fb195e9e3a

SHA512
e54f72d6c33ba390cbffc2494eb0f6e4363788e528ffb270ac6af6d972d4d6c6cf9971167871f2b8ec01b5de1c20ea5fae90036f7fc81a38c3737c38ead0a59a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
720B

MD5
578727e445ffe42d1de2571a6142106e

SHA1
b02b3ca70ef66ffaed60a2c901290472a3dade6b

SHA256
70b278d692789d100fdacc32d6fd40fc87d233deb04e31db3dd2c382f10fe0e4

SHA512
59c9578b11b608658432298e362594e3376a9602cc7a2e03715597d91ee5cacf4c951a9c83ec665d97190a14006ffa63f5796d41a1c3f1e9f6479770b50662c8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
688B

MD5
6e997b5c42d7b8fa4f957fde7726fe9b

SHA1
ebae1a56be547cce4568e893c298eb02f2bef1a7

SHA256
ae271fe57840f1e62ab7c5a6f7be69a629c2613b9b7e280d1c4c93658e7bbcfe

SHA512
292f55627521c812727f1f447fa496bc2dde73b1c7f6b251f2bb7b0cb343b165e8405efc0e54dd75531f22f7e911354a8b5271fc055786e445d4daa0f0f97fd7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
1KB

MD5
37c64b1b5d0c1e279108f97f3d60d326

SHA1
9fefd87fef21c1d30e9b628c4252af323e34f594

SHA256
23f50a5bffb30663dd4fa762c7c3d6b78e6c9967cb1283cc2ce87663f5d2ce5d

SHA512
3d7f4e3b3e0aebd78dad031efea107ef0a4ef093db24cf0b37720295140488e1b4762207ee8fc1747bebb67d3151a1e8ca9986739acb4ee7b3f39045a68f4bc1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
448B

MD5
8af93d87a3c2da935a31e2eee7ff233c

SHA1
0038ca9ba99a91f41bc473295fe9ba3924a4f0cd

SHA256
f082965578b5770c89dd9ec868f30827b761f71544a8a0ea284317693e92a334

SHA512
aca1c63f735c4a991d2f7a47b1ce9899df1a5b9922c30d3fda3b2b2fda52de200f9daf500d9dbf92c2aa3637bac4175e5e597a08988a9d37e66f636e364ce970

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
624B

MD5
94917e0e1738e36feb2a7e2aa6c5eaa9

SHA1
5b9bd2c9295000c2272d6dea3b976bf6ecfbcdb6

SHA256
97b0bf3dba624b7f02ad77473b36400de926587d62afb8a7363fc683dc8a5873

SHA512
c6539c2ad6cfe50a0a5f65e3cd61f8d4bb613b1027c24437beb60c7f687b934ccb9cfb1acdf5278be822c45522b7c328a1cec299b5272bf7652bfe0efefb25a5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
400B

MD5
9adfd526969c564a4e75af95deec25ec

SHA1
01063e0d56cf4dcde03fd08d784352ee63bcf537

SHA256
85b954d8a75b0ed2fdce3d11c45132e79d61643aba68a141ccd96ef312899150

SHA512
b826a5f66bcc95d2d06fc3c9de82ab9e34e54fe83048aca44019fbabf61026e3f31397c29420d5c1d0a3be6bc6d46553f7c5f2eba8f0002e1343009cefaec906

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
560B

MD5
a8eaa5920a97802fe3a68b33852c0cae

SHA1
5e252a15ba6c3cc227873a7bbc390c9fa0d4270f

SHA256
83e5de5ec1444b6513948990db47c37133abf0e52b27b22b7984e662bd718e41

SHA512
3b037cca63f7338f8d616e1a2251f37655f1410c11a02d9234f6fa4153df61a6bf13dd393442533980299edd74ea78331ecdbbcf6bc30e59cb594478dd64b654

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
400B

MD5
8e1ef774d07e67454f6493ec6502b06c

SHA1
f6c4d7ea9346a6b23a9ea180153434eaba22fedc

SHA256
1f1d0d81eb80811bfc61700eb1000405b239314cc49a833c542895fdcfe474a7

SHA512
91a864248275a031f8736b8e05fe0c06ce87795f98f8e903612e528de80d3121e9b58826671962b390eca4f433f6912f0bc9e442fc4ab3d44eae1846cd6857ab

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
560B

MD5
11a6a2731275e4f31a3a6cddf971fa38

SHA1
7ed35a977f85faef427ca96cfa071df4ddb7952a

SHA256
06f88a82d996c6bc4e5cfa6d849a999bc98ba7245261ee01f16e982dda70af37

SHA512
8a142f5a68531fa85873722018a981dcd496d96a981e0b01e6edb46bba9ce638acd5df26835265d6822f9538bf6f86194add6fe5071d4d199ec54992149eb117

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
400B

MD5
8d5de9ffcb09283ef1d036c3ba765a23

SHA1
c01b65348689f819a7290ee93f8cd57a2c12c1c1

SHA256
a253b10506a542009bb9c1043d4deebc25a6d9ff30a0b25301946d0484e4d8e1

SHA512
ed9088711ecaa536abc5266e97e9dd7cd32cca052f64b9e6178a46d6a9fb4b873b2e77b32f69d27779e4d3ba5352e0b1bac324f1fe20e64274fa5bcb08db7328

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
560B

MD5
d8e0b574cbff98a0c0d49bdca137cccc

SHA1
b3c43b7bf1dfebdb9b2e6bc58e95fa253dd0a2b8

SHA256
7226063ea31ac3ccd21a98c50255ea73a8ba30b3b8f8712e78024874b06193a2

SHA512
77de647a3989b9650c4242f2a1a4f38a9a0298d1033882e0a86e076537228432d32294e2f98145854a4c3799e8d62622278290e617da7f5062437a7643395e07

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
7KB

MD5
1b7e5bf69c07720b0d17eeac89d8581a

SHA1
5cfd534d17b156108ef2a993f96edfe18003b8e6

SHA256
68ed8bbe3367e39d892bf8972e4c2744238d19f8121aa4cf79d61f8b2c2dd5e1

SHA512
d9a4d83edce7e3899fee9f476dec4b4614b2ef7c4c636c44c97db132d249d9c2ddcc95d27d651a624741eb0456b54ec909d9a5c8d3679c2987ece74644b32e47

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
7KB

MD5
aa931e956b5601fb54a1cabd1344a129

SHA1
482cf282a88c6b29e702136405c3d7467c18c5b9

SHA256
f9c51ca94a3ac4ad079426669df634c2200b9e8339c31095520da3f35097bd25

SHA512
93d55e61191b35b835f45058986a1da835d5a04fa5aa76b12b34d0acf2d1c597af6c544e625e8c920ee9bd6255c9d36292dcb8eab81e9cdfedf1948a4f12f216

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
15KB

MD5
428b19b836765404fc02a9255e5b660a

SHA1
69a6c5e766c3325c24a0325072c4832224466b35

SHA256
7199971c067d64987a7194b37a53eb6cd166ba7ab578669cd68443c581bf9fe5

SHA512
e9419ef2d59eafe6f7027dcef50c84cb2e1d35dccb715a54d7c1073e580f8216d2b435368e0e0e1519b1f24fe220a6fb48e9dbc777f21f31ed911b8d2ed085e4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
8KB

MD5
6485db5780eb6b45dc2c002e520a9b5c

SHA1
160641ab91834f308a5fe803fd8c8fc6ed6a3da9

SHA256
1ed703d5eba66d2538866c36b23097987ee2e9af5a7353f45950a72fe92d75e8

SHA512
ba9fb2b1f8f4e4ed4985e67eca8844cc8dc1d762418d503978ad73eda58426b9b13b85aa0fca338821654f176e524f518d99d4c1ac09a581662166a085cf721a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
17KB

MD5
20dcf42ae2f73c5ca87e29a76098bc58

SHA1
d4e939583be59e60ec1bc9a52630c83a02cf4cea

SHA256
778f3bceab39e66fef1d182d1c549e4aded0e508c161dbf058bffeaa3771940f

SHA512
d34c928a621f4097f73a489f024ce0f015e4da87c99655f0a12d12b364463b1b1d2266ee069a3c84349a973f54c046cb6be8d6b8bbc6f1dc43669c5e4155d3ae

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
192B

MD5
d5c0fec763fbe22a1f70a6b3128504fd

SHA1
4d9b77e23119a3878e197fbb47059bac0f3af5f0

SHA256
0b8a41814483997d14e414c624158e8cde5886366902032cbef158ededc9236f

SHA512
b9f77f22efab56ddad04574b3367d2578e3fee7829654ab44ebd671b84d247db96fbf49001f994221c83ce7c500a1d2d115b844295e3a2c5c42d632aef42373b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
704B

MD5
cf2ffd5ad8846804d62672f8909f0f49

SHA1
44e2a74eff484ec8eae3a154ca735c2de939e9d0

SHA256
2ca0c3e6300e3aa8821ea8fb0030e8a2f0cd3391515249188c5a764ea2343ec1

SHA512
6c48941ac4f411310e8e304a06ace19b301f432793252e8548c9e9c918637bd2ae1e0359409eeed0d45a24d9c964683cd2f225cf771bed83e2520166c80e7d6a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
8KB

MD5
5aabcfd25c2eae6028f5c434a495f2f9

SHA1
c75a80d8785bed3eab78caeb1b9d16725a9352d0

SHA256
90eb0aaa0e1e1a89e607dea9250f841762f9c510108c868ff6e5480891fa7a49

SHA512
680cbc79f7bcfad27f2ab5908c669bc363d2160aa81b40ccf10a18309b81a019f2172df258c4d8b27e2fce7120c65dd4b50b92630152855ff682882737da015b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
19KB

MD5
2971f6f133a53e640943a7369066c242

SHA1
b3039b64bf479a2df89c498fd0ffd47938618e17

SHA256
c311dc8c3d9b6fe224e2d872e5d5c6976c73641593fd0a49bbadef558392945c

SHA512
c25b2509cfda7cd9ef6e5e4544f193e349efb3ccf5bc2bd699fdf414e303c9ebe9260ce862ccd29be0a0738712ec9e301bd9f35184d04c1a2308944f8728addf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
832B

MD5
ff5dbeb7ae5d2c24c4147f96f29ba333

SHA1
527e21a9fb9226425cb4409c0dd4dce5ca88c331

SHA256
38a341da9bb81cec29b95dd6e420d3ec15febc902ddd3c5c9baf677d9cfbf3e4

SHA512
6668ecbc83f4370bd3257123df17ab7e1c52fd808136db64dd92d7ccf0d17c2f23238a9c51120445036a504fefdcbbacbbcedb75da7ed51c1a9e94d96664f47a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
1KB

MD5
e5ff7e90347bf7886fdbe3681734d739

SHA1
363b948c402cf119600c60fffb7ca471cc3d290f

SHA256
2f5bba556b96d14315e604be44af174c3bbda3a746695de5e86553a0c4008436

SHA512
430630f4c5805753e1abc71e91505fd8335d46b2cf5c75045dd9158bb9b12d2e5b7cf6c861eb23178a9767522bce27961b22024b7ff666fc00730cbac879741f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
1KB

MD5
1dfa5ac9bad0255d0b1f6cdf13e79dbe

SHA1
991ef241368d74b2511707d33642e659d49a5077

SHA256
47cdff30beee4f55665e82989153445c37dd336e6f29b725341f2f2312f2b335

SHA512
6a75e6962471d8d936f8ba793177b5519add0af609934dffeaea2bbef830a5a5a8aad2232fb16cc514cbe318f5b72b67786ce336926d4eded67bf4cf0ca623f1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
816B

MD5
9e66257071c513d7222ffd09877ad411

SHA1
dff7fecbf8df15096680fdc1e4440ed73da8109b

SHA256
ad75c334926f1bfd6cccc9d517db9ce2b94615db1b015552c8ab1418a427aef8

SHA512
4ba6c563075c5fb799f0b1a118463213d69ce45f38db001b3ae4ad0d49ec37f34ffb481833614483a8468e75f0d7359f73d625f4a2ab031fe21a5b6e45f3e04d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
2KB

MD5
2c446bf24ed91446b4fb94ab269ed243

SHA1
f423911a5309277b88fa78fe2b65877b36442cb1

SHA256
57ba6ac0b2b17c9b6a938f98f0a63b575afc4ead4411d88d158815c36135fbb2

SHA512
712afdd250b15899a95ac1afe710fbcb131256b1f1b7f92d2f3e6d3dd3951b8102de414fa7f4420c2835cdf30df149707c9c61fb94f6ac4c72e9594233ec981f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
2KB

MD5
034891fdd1e6f2e09646dc2cd4ca9fb2

SHA1
40a1223febdd4534fa4b490d6357704e400f0e28

SHA256
c0df86eeedceac852618b9a6221d75670471a1b377febf2febe65dd5ec9deefb

SHA512
7b77b3accd24652061c73c6065f1e6cd1fc615602d0942bad6409a068575f558d4ba588fa2707e47125a18942fd7f04ee5e5ed604ad4fd883c60811e6ed8e9d9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
4KB

MD5
bb6c272eb4e1efd531ecb906ef57afb2

SHA1
260ef8c0b7c9ba27c2d41a6cdd4f81d617e3253b

SHA256
ea78b2f243f8dc23106fcead3922c9b580222ee2249f9442b913daae17e649bb

SHA512
3e08b191b218fd8b758eec90837d01ddb9110b512650ea1f3cb395827c01e2954ef95f281f840cf51fc4a4be3ae42fa545252efea39eef40dd6d2fe18fd392d0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
304B

MD5
7d18b7e95edf05f697720ac8bd0bab68

SHA1
14af1aa5ed78c8cf55313c625bd330a66ea7b4e0

SHA256
5da67f2d1105f076ebf61f6ee5706b3fb9ec72336356c4d47e4fa8938e22a506

SHA512
923c84fd072d2b645a98723ef1d5577d1d68d523dd4726c75dc834f852b654f1161ee8088df82f31dbaacc1b0958cf667b90f0c4b05be7c7ee15686cbca9b352

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
400B

MD5
53a611d0dbfbe4a024c166bf6e95d860

SHA1
9316cfbfc455a2469c344fbbff5f132316161ab3

SHA256
f2bbd58685ec5cdc4a75c1fec51710e2ff01b5a322a7ceda62645bca22bad143

SHA512
bba71cec42ea1e5707bf2cc6a97d2dede1ed225040b26f5eb06644fa93a8371f168dc9f1d2097a2b2f3bbf428a89eff787c0cc7f8c37b41d847984f622dbd7a8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
1008B

MD5
2e87b8204ccb052dede3e0c997c244e8

SHA1
e530532e36f5e01c17897db9458c1ebedb4583ee

SHA256
584c308a138e030500d8568d5bf415fcb22396fc600d9144528877511244f657

SHA512
f1e6b9f9c1e0843b487bdd787e3f5a92298d286b302316ed6fdf4a1dccc49c453a5ff1dcb5316c026c7087bdb23315cecd6e42c929cb506446672b50805358b9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
1KB

MD5
a7282b6f14cb7a36b661f23d10a6bdb5

SHA1
c32dc763dfbb57c366128fd6fe46b8b2e8979390

SHA256
9c2c8c8aa0b003cce989df4701eb0a5223b325a03305673d7cdc0815043af21d

SHA512
68a9fc28b3a27bc4d51531c494c4394d5280f159f8a2a39b1f510c7149ab424d84f49746c2cdea815f5aaa2253a9144628da0e192f892ad3dbc68186ecf3a3b9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
2KB

MD5
5ce692ed4cdf7fedc4bb037ca52b27b7

SHA1
beb9b8e5b2fea610f97c9b21e7d26924881cd420

SHA256
cc5ef839225c59ba211fb6ac2434ce1f4a7a69c0bd92aab473fe383b95803ffd

SHA512
61ccc58dea22741508565375baf987f8225f63b01882ba387630602280869eb6177bf7897d71f2d4530933b51e690f93c7871ad41007d23346d9292b26d20edd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
848B

MD5
6ae31836db481542ff600592804d87aa

SHA1
df49feca50b2fc43355711a151d173753e2e0618

SHA256
a620133068c39d1ba5e662414e84997e3a5aa33ae0baae47312ab14f260bf46a

SHA512
0dca06cb337773f58e20f8533f1200beb9cf8f0911d7b283d819f9a3582fb30519a406dc3499f23b82fa52c2755e3c8e4969179a085a195ea0eaad262c4537da

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
32KB

MD5
1c267aa92f7c867267578973be09125f

SHA1
69499391fd66905387bfb5493d01aad0d514bc65

SHA256
28f4c64052ae1f65792b77b37552943bc8a8437e8c6cfd0394487313e2c39707

SHA512
79d7eb95e391b2ea8d03212cbdd2f4c5df76501797bf87bba88046a619e982c10dad6224659149d31234c1d8224b483969bf79602307cb9b440858d96bcb7550

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
596KB

MD5
d219abed1bb4807baf2d9facc0b44796

SHA1
3bd11b7cc4e94d990b28fc55b9de3878100b379f

SHA256
c11aff4d7b61059bb1033bd5fe05df2c2ac031f5097450a6da8dd16d0d1bf9b3

SHA512
7a0df8c5264e77137ee825298328a94c246f2297ea87da19de212b58c9282163e1b3102f6eaf0b7d86c52619e0ada7c39584057d6df874932961a8d822ac286b

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
596KB

MD5
8aa2e4c3d146b587d6e5d83c40905634

SHA1
2cccda30176111c2af5fd48fb1788d86f0ec1850

SHA256
b7bd7ad67ee1e02e456e2489434db2627ff2eb466d96b84bfe54185d72a069a7

SHA512
734014d4e5560752bd55565675c15bfe704408a1ae8f413df71b351348b4caf6ea1d862e9fe3725221b155666fdf7364bed86cad97dc846d3f7f067c342127a3

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
184KB

MD5
64629daa8142a8bf6799f59d92e9978b

SHA1
3b3e6800a0ea23405efcb894febb104f98fcc401

SHA256
372192abc1671394ce2068c7fc9a80b028f0121a1dde0ea02a3e8ccfa4fb15be

SHA512
a12378ac1680dff1708b05faddd3726a29ebdbb6878a19ebf4b05e27b0ca2803554a254d845951d548ee75414817f2ca3bb5b0d9505260b762c93dfe0b7e6c6d

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
184KB

MD5
eae5f812d160d8aa557e2f7a72117a29

SHA1
7ef17e0b0039f5b3c1c6b16dc92321bdc3dd9b48

SHA256
d4465ae2d28d85a3a91eb42e71d755dc024c25b35dd9e89d849d9ff8bf9efeb4

SHA512
5afa2844062b20f509e34640a462a20f52a6f8bca0c3804b7102303e9b6339f975a28e7a99ff487919728fdc7ad74a1217970e19d743bea21a324a2659edefcc

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
267KB

MD5
cbf442008b8f6de29a4e8a9cafb6e2b2

SHA1
e26a903969ab06984e0a8b6098e78e81b0703b39

SHA256
beba888150b13f9c52c95d372ed7f27878ae10be76006efe7ea53e800b76a987

SHA512
4b5f1d10d14748d109c750d8ec4e270224396146ca7be8749668b9d19953b24c646679e4252492c6c55a0987d1ee1c26b1df1acb3eab48ef058233fc3fa3c187

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
267KB

MD5
996a94d82d548ddb91aa323d22be113d

SHA1
393bf0b139581e0a9ad32f701b424fe1b3b7f5d7

SHA256
87fe0c309f299d86c581fc200765c6e5d6e581745b3e666a4774bd3552132f67

SHA512
0c5b64b07e6cd00fae5c3b2b7f3039b51fcb2989cee01960f8ca020e244aedcf6ca499fa71553b83c2f9640e8565e5fa4b12c6a192378235cde4fa45297a3001

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
802KB

MD5
8f07066a370746a7a1a9535af6ceb652

SHA1
2664a6882d3c32ef5ccf36c980fe4b3dd205e11f

SHA256
a852b6e8a47348bab5586dba58b8ff3f1de13f49197f1e440fb62a0f59875d1a

SHA512
1b91408cee749d2d83eeb46f0bf36395bd3139fa8f0d138f959b43f0dfae28402bf617e301e758c197c5f94ec9e9a197ded69ab1536c1f07c8b1e5aeaf73f51a

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
303KB

MD5
bf74b515c0b7c4c916ecb46ef527159f

SHA1
451c2668c65d86051fbeb2754c3276cab6cd122e

SHA256
f4ebd96314409ed81680a2537f8ec8a6dc229ca860afbe62d4361a683ec9f43f

SHA512
019a59d541da74b63ab449eeab78c587df2d272caf8b4a0c1f64f6bcbd27ead21d73ce1c46e9234dd6a0c671451292757c125ca16eb157c5fb3651bba94b546b

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
303KB

MD5
f64218eac62da6568e5e0142d5e368cb

SHA1
f7c65e8fc5ec011de11c047c3aedd8ce5903a253

SHA256
84b1acda6a7e4a53ffb8f66e5b4ef32b7e18d1f39923134ccb3fa3674eaf8648

SHA512
b276aa19573f65cecf1d0a53c28a9aec5c13feea9583a5c0462cf8e5a2e5773c797b4ff62462263575875482366c216dce42af9b03d3d5282c61e388128375c4

Download Submit
C:\Program Files (x86)\Common Files\System\wab32.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
740KB

MD5
3236cb51b33000e0bcbcafab323948bd

SHA1
d5fffee94ed4f45e11a4156abd32311413ed9b31

SHA256
379880a31fd4d66f4b6f1b55dc6fb19bd8fb5a506fa2079aeac21e78b5d5ad8d

SHA512
511be945b18b3018e2ddf0335956b5fae9c95da2ae773f81f2fc8a39ceaa6b3e203f1b3b177af991689e2a64c9f908d99213734f2e028a2d01cad18ec6a6ac79

Download Submit
C:\Program Files (x86)\Internet Explorer\ExtExport.exe.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
47KB

MD5
3c827f1d1c7f6e828e348b50a94e1b81

SHA1
f762fcdb4039c274f0992d7cabc65aa1ef877562

SHA256
7e564f1ac1384e8c5b9771513b2d61feb54c73f65edb6ab277ba3519baf3bdb2

SHA512
a085b0d5feb61b7b41e4e080927ba77e068e3d3313a897dfa9616c3ff141ad5f19f72c27bd3cd220e65671949b6e6317e320387a7f71b84782077b5b74e177fe

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
7KB

MD5
d194eff970bee061a6c1df3040caa555

SHA1
9d93f98c1c8823478988cea9a68d94824c122d51

SHA256
84a023430f0c33d66a5ac088e201523706d329d1223f5bc8106f872bb564a7b9

SHA512
ebe8a8667d41e5a77fe7df0f962ebe2888b9f43b0c0b91cdc2a053b8f3ba34c7d106b3c17ad1a010d4ec67e76bea1c14497bf93f73fb8c8afd40e7f0bf0a5bcf

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
584KB

MD5
33743f013ba99949c772edf9f569d8c3

SHA1
d20d179596634c9c3b5963b1606f8ffaecf0f9ec

SHA256
e55ccbeaeedce0cf73018f5c834ff1409bc12e713f997888c65172c8c762a425

SHA512
605fba7294334d28e564faf84de6b202e6a58da66679cb633ac49d050f0b763d3612f8ecdf38cebcdc684ead156ff772e28d047dba5a63ec3986768d8226a048

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
104KB

MD5
faced7922b6bfca9ec6c78a6fd12d65d

SHA1
ac52b0a7b1beb9d34c3b32a3d07aaec61e19c9fa

SHA256
1233b678d20d6253d4dade83c781ade4fde3b0aec50d8d13608cfa04a1293eee

SHA512
47353b61f724f935cbe5108f204dcd004116bab107992857053d3382ec777440067dee7bc657ef03efc167aae21144794dc6fe4f30bf73f48635b8dec959cdc7

Download Submit
C:\Program Files (x86)\Windows Mail\wab.exe.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
505KB

MD5
07213b775463c5271e647d8d83bfa4fc

SHA1
88360ad96996e2d0086ae95ac645a55b4d7271a6

SHA256
1f272cd09edcde06d26c77ad8ab7f1f8700a4fd34e65e9453d677228fff5ddf6

SHA512
35a57ddde34b095c521e5047fddcdd8b11290f52723efdad56747afde41bbcabb805c58de8dac0122d25d97c5c05d443608f87d23a34ad673bc6f0c1d3fbaa63

Download Submit
C:\Program Files (x86)\Windows Media Player\mpvis.DLL.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
161KB

MD5
2e993b1c65957fad31c45428c79b7679

SHA1
7af919af32ef38db5cbe05fdda0443eaaed3843c

SHA256
e7b5aaaed9dbcc2e3b1b02bcbfcb51de488cd5e221082b8fd3c74dc92e805099

SHA512
9d76d1712a8122818ed32ab509b70ebf1f2b53f3f299f329ce2b9f7765334891fad518cba397fd0bae9ab49829ca533bfb315dcbd07189c6645e2f3a3ccb4c61

Download Submit
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
2.7MB

MD5
8baaead7d1bb2bd920e02808890ffcdf

SHA1
dcfc75b44855cddee22d3cb2caccb6911f9d29aa

SHA256
9e85913433e63f2635d76ef08b02b944bb461793fb5d494d29d7b4a528194c1b

SHA512
dd1cd5cafe169eb63213636389b8895a8a716de3aa3820f47258f800d9581e0025c4cc5549ff46aeecdfb4b0ddb82930cc50876c821abadae7489d3d9f6ee434

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\TableTextService.dll.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
622KB

MD5
23308bbb35a278ee52b2e46c6c552a3d

SHA1
408677966678883b2b2edf8d63fe731fbc687ec2

SHA256
db553631265cc2c28634e3fbc736b148a29cb1d8db68094ed81498abfd486966

SHA512
5f11bee9d8bb6595bc152e475b8d3e700b964d2fb5075a8bd95dec84866b64141bfce81ceb9882075bdbc55bfdd62ff817013e9b23ede3164de4dd373afed014

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
93KB

MD5
d21268a96061c3163d79a6bcec95c7e0

SHA1
bdabf330f641c9cdc0cf2c5aebd4e0c4b959da0f

SHA256
15ae63cb70c33c729aa3a99f0e3c61faa1f62b30eae2119d02dc7dec1605c2b5

SHA512
88324c4beab1e7480d4feed2489028433976ba652bd72cde068dd59f42b62312d125cdb5d9209a9d86e38af3c48a1368096466afd5f40c00bcc6c48e8e453fab

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.Format.ps1xml.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
3KB

MD5
9a4ca76b1c6433d03438a1256f30f091

SHA1
9ed5f1250885d90cb0e00e21410ac4367d1802fb

SHA256
57d1b05b6a90264563571633682769780b15c1f207acebdc9f1a1214140914c7

SHA512
df657cb119a27140f2c08ee207e0442460c9e2b629f9fcebe784786973b254d3297d037ca806f22ea27e7c6c244ad63913ab6ffeec7a043afbe2fcf3cc28e2f6

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat.CA5A3AE6706D57D1008755026212403BAABB67B00450B14EFCF81610645B34D5
Filesize
752B

MD5
d11c854a98b0ca5fdf5d2c7d9825f92c

SHA1
88ac8f86490cb3a5880fd38dacd3685b96420b80

SHA256
45a6db79bc1d543be841f972fd8054d59e0d80edbc531d75e52a83ecaa660dc5

SHA512
898ad21b6038bf850613ade4e13f37c44384e6d8e1f3fee8435569f9d729cdbf3a226788106dd7923d191952343ca83132bcf75177e9de7048c230b1b1a1ab96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
96899614360333c9904499393c6e3d75

SHA1
bbfa17cf8df01c266323965735f00f0e9e04cd34

SHA256
486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c

SHA512
974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
19a8bcb40a17253313345edd2a0da1e7

SHA1
86fac74b5bbc59e910248caebd1176a48a46d72e

SHA256
b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e

SHA512
9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
Filesize
236KB

MD5
0575625e5ced1be9f4018c5afa456406

SHA1
70f86daa07564d318c2825e08e2f70e8bcbd7967

SHA256
37e612d9c4d2fdc46c132a1ebac107c720e45135f5c79956140f8d38a951332f

SHA512
992f17fe1348d9f4d5f3870302a268998194e8d59c1087b3474568434e8dd90aeefe57aff7d0caa91fcfe7239cf9e9f38094b3767ae9d9bb592c41942282088f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
Filesize
31KB

MD5
143851213a8c9bb73c3df32d032b5fbf

SHA1
9a08b253f9298b3a0abfd2848765893b9f684bcd

SHA256
9e9b586a3286d9c7df98e2b06517acf8cd21079a7e9d4c319233a8db6baa964c

SHA512
baebf636d3650998cbce2a986e88eec4f75016b7936d095c58330bc30c59138bbda32d19bebbb57b26f582285d1f8840b70b93ce55e5d58fc2fbc5a6c7311188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
Filesize
1.1MB

MD5
764666e3debd6fe7ff0c0b625a41a62c

SHA1
d89070fa6d0ce0f1d23a734d7dd59df17857e002

SHA256
eb96750ea92f4a0869b8bc96e6da246127aac54b53a336c924c7a7bec891258a

SHA512
ca32adb6382b05f136afdc5328729ec2af14afab7a55fe777e06499ad2dd11550a09d278432fea9d9ec831ecf5d4952f08a8c1abbf299f2db9f226dab1bdf1c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005d
Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005e
Filesize
132KB

MD5
6a47990541c573d44444f9ad5aa61774

SHA1
f230fff199a57a07a972e2ee7169bc074d9e0cd5

SHA256
b161c762c5894d820cc10d9027f2404a6fec3bc9f8fd84d23ff1daef98493115

SHA512
fe8a4fd268106817efc0222c94cb26ad4ae0a39f99aacaa86880b8a2caa83767ffe8a3dd5b0cdcc38b61f1b4d0196064856bd0191b9c2d7a8d8297c864a7716d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
0f9fe227caf02d1f05248375a77fc781

SHA1
f5201a0be45ceb8a81bf51cc47347ca5435f51e5

SHA256
e1fe841a646d42a2290a615eadab5ee8c85410964cf7bc275f38c272b5f6f971

SHA512
e342cf8f14e80db309bd6c7e01d45022beef1bf86ec2a6a504260db8ec44db5e1175700878ca0804643dba2ff0d03f0570c6128a1cc8d067923364decde43572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
7d7dc3491291e2f233e2b7738cc00f09

SHA1
ff74c04c2b565477f10aa2d222fc7878dadcf247

SHA256
a98c3600696704ccbbffe79bac8cb5b513ad00656adf267acff857d895f4d65e

SHA512
9d8dd6534d5f1f4d28bfb15f87cc6998f7c767ce76219ebb7a57752841045336494fd1e9cc5584709bcbcc3b2b15707917a6b5c7349a8410e3185313ca58ce5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
82c2cacfc22cc39c602f420031abad3a

SHA1
e92a877fccd324e1ec2c0afa6a79d15b56e233c7

SHA256
d21aaa94b34a67fed4989762fc09a46169484c24852e68eff7d35e91e16024dd

SHA512
585f19da514c6619348da4b8c29e2a555f0c369cec4400c2407d0f49c79483bc2a5a609a674c25ec194aa6886b58caff9dd9770b958898a62346301e07b5219e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
562B

MD5
20d59204d2f9df9f5085287f08452ead

SHA1
94d14ef182a30040b92129dcefcfb8fcb9688b62

SHA256
59d961eac264baa586f5e9edcd66dbdfbefe08be2d67f371b74e260d34bfaf87

SHA512
d3518d35ad6c177edd3f36fdd872f420f4f6988ea4e11633fa441aa76951db46c47d31206133f3449e024ab3a637e76b13ec08d1eeb5d5264b73ac99dd216011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
6KB

MD5
502bda715b3ec5f64545576939c8efe7

SHA1
a7af00defd18194a489fe0ecc8188c75896aed37

SHA256
ec43937531385a5ce652f239f71102dd119a47dab09599a31fb24c7be6428ef3

SHA512
6b855a7f4045e476221ffedbf8491946e2ba2c143b3b4f9b2c773344f7314a90ce5f228a5e45452cda5577ecf9ce842cf8a884a226835c83d48e78466579af0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
562B

MD5
c4a215f378aff8ee01a8073d0ced6110

SHA1
18632b6c91095e7b41337dc55f11e02f52cccf94

SHA256
ea2d050ff3075c8efc4d649756d8a97421b0c7acc1d62b43d5af9a9cfa323fc7

SHA512
13830fb9fa2da3be865c7b82b7d2b594ed5d0bd79cf210e74e98c787de76dcb9e30f5e2f9ee12a9864007d32ad6515e0cabcea8bed07577dae312492f71e4461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
5KB

MD5
b30b1df4c1615d8350283fd9e377b1a1

SHA1
bb4dd813c49e832805dde1d59cbb41cda092e562

SHA256
3f96c60293a10db054e73240220fb536ffa093b23b679a7375e4a52f495dd68d

SHA512
14dfc83054ece873c1f8d057f94be768dbc3cf55ef995c8a8a681ed132d71ffb76b60bacea7c1d04775606e2d77f9617728c4aa51566f50645a02f25d5715af6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
6KB

MD5
8459c4f00fd900a1ef8328de8972de86

SHA1
e67918e6e29cd059a29ac10e9983af3dc2e98e88

SHA256
d9255bfd0b48c2d2804e6acea1f347cbd8a3c14d4b8b8455eb714351174c71fc

SHA512
6b7c9dbb5b22c801adfa66590975dbf370febde75306d655092f7804fee07b49bbb43bb5d0444fbd1953d2373c4b880e1ae2c007cdcb7f8cc547b00a734a0450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a8eff0b7869440fd519d73e1bcb797b6

SHA1
cfb59678d51535a66e0fcd2195c866a31f6ef30f

SHA256
f49ce8f90fdfa469b0a4037ee416f1b916cb9c22f422f49c0e9e071bb794a96b

SHA512
da5f307b79ed4465549f0393a2837818e3c562a758cbc8beb1d04041514d79b7a9fc761f0d2428929c341341d6fc3cdc64640db2415bb5ef73a85f2cb038c6cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3d23f24088714bb50c82b1dad4a36159

SHA1
a107156bc376cc2db6c99d81b4bcfc0354cfeb33

SHA256
9dc66fdffa9e8b8eea82189d09958817512a225851df62ff587bb088d2b82f96

SHA512
2cf2ea8375b0e76131c7e8a29016abba16829d67c593f3ed390b348f48147818e19c6c3ab8a8433b2eb9c7f89776ae14bb40ee2d51c6e374e24cee211fec4545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
7708af25c353c2874c20b1bfca479403

SHA1
aa624b1e8d45d8f5c0f9fe8a25b324227be72441

SHA256
d4f09768d105aed2c87dcae2a16f33ab6a18d7ead54abd531b6b1199c3afba6e

SHA512
01a8163c4cf3f2fb889af46a66275efdad4e5c3e2dd3d2aae7e17c85a75888de45420e3db9ede3843187dfa003f0e1877d9f5844e5d2d37e9fb3fd5527a43c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c252c620e1ae1122e846342ba353862b

SHA1
25ee32dd87fe53db01b207ca12cb625e12f44406

SHA256
1763eccf1a31f9ee22b15b343b75f8648875b163dc4ea4891315aba75ce092a6

SHA512
fd4869de04ea2f098dd53daa3e3af517d1f52dc5d83739bca86cdd8524109d1b69ee7c4aa34a295034125de6f845e96415f363ae09e36b6749be2d9ea4ed3983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
2b3241d13829fabdb4a0f5b722129beb

SHA1
88bef08422397016ff7f73972fcd387355150a43

SHA256
6ca2f323c2a87c0db4fefccb7d1221a4bdbab93bcf2e24835cac5c8d91b6c374

SHA512
eb1288ef808301e3bb7aea839a203d1c58a3619382735edc2a63cf3137767a3d6792612cd50f9f29f7061d6b946a2c3de43c8e1474525baa5317f4348d10a015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
cda39c5b8d3cda0422b3f4c5ecbffa77

SHA1
8db46140ff75b3c654b35a4267767e38654b0279

SHA256
0c4ed9df6207d802125875005443dccace4fe11e4308ac871ebe2af3f4addabd

SHA512
dd9f245a05939f0f4668c584f37ba3c91d7eb235b4c3d96502707f3fe5f9ad71c4e6e3d59e346dcc470c56785c0d428a3b24e9ced39e8a2d5d62978a6320ee0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
0c4a0b392cb5cb043ca1e36aa41e4c6b

SHA1
aecdb7329e7e91416f53db7c6952917258c1cadb

SHA256
241f93455ed4a22b33fc02457e4f64f6db6b7cbfd1986e3e80f186661a9c1a2f

SHA512
2b98d502f9b2db970e64dd205ec721dd2b082507f260fdee695686f5bf4c359b36fb6e3e3ecf78656d4a621523a01551d6a26b3aa37cdeceaea22f524cc364af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
b9a324664d85f25f963b905c8768117b

SHA1
0d464ab6ae9947ded74b8ea76cd10467921adb7e

SHA256
3942f1e8ddec8da65ba3e80785fa1a91a03e60b027c9aca967943645a8af80c4

SHA512
9015b0298b32271bc40e3004609dafd3482b90906be72cb9458e82a536be5acf18a942ae810517458879ec9a6eaf955570c2ab739c6165292a8b54adbd739b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
db89167538c663c3d78d5fa1d0a5cc6e

SHA1
7b61f62f5baed14f1f5826982162d06088971b7d

SHA256
749c37b3a79ea21d9fc6a8bd2aea24f10bad49e81929f73df31939f90d264c8f

SHA512
379226a5b7842001260ca1578559d6d9f8b97495630896fb1389950e3919fa1596d513651234320405173af8a01c4601e6f5a45c289bd6fbde39d43b93605312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
747fd035fa20ca6f7faafa475a54fe2b

SHA1
f677e0fcde49bdf9b75c559739a58196bd436d72

SHA256
69c281b16f3454c10b96cf5ba8502ec2af1082a9456cf03d11f7de07aad62719

SHA512
fed6f21a7c6248733e0e53b8c4cde03ef5b5267105ab3b5640e0fee39865c1e2ea8d751c8eb647f0f70a0d4e673f6a89288507c84d6848d1cdf225392b5f8300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58acb6.TMP
Filesize
48B

MD5
1fdf0a01e0aa36a37af3e6120fdc0cab

SHA1
7c1e36f392a500132f15a4a16bef959ddd4bf9f5

SHA256
0ecd2a166e036a0f3931f417c8571ee65e2cc8ad59214178a561d644fa4d4f49

SHA512
b9d196a9027c7c510bba6eee6d396d313565ef87b9750b4fa7a9ac00e763ac6e98bcf29b38d0d38da5b848b7887c998d94a45a380bf71ce30c8ba79188b0ca28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
6c92eaa48cf1051a35148e2cbe976e7d

SHA1
95436c29f38c68b3193c2001602bbf5268b91414

SHA256
e2f342ed75a58681e6f788961eb8155e58929d7a4bcb1f31cd629c7b9723c9da

SHA512
087388a0091f0732dde1d5cb1a0153d63bc4e3103e4a3dc3933ab67cf1720c66b04a437442b09dba6055dbce9162b6cd91fedbccdc88e6fcfb4f7487a11cff95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
99ba17427b85398a032d70e86addb30b

SHA1
4169d97934b9ba6192fbbd2f022893a4b497e71f

SHA256
9bbcf4b6737373fb59b995b4b42309f99ff583025248371bce19842c7fc91e69

SHA512
1dd1caacfc7e0e0f8e79a30fb2e3fd107cf73ab27976d36b1154514c7ae311513705b7bb799958d496cafa6053305429c2fff570084c5bc7388253121ace3c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
f015225db456c42288c37cb7b7ace019

SHA1
363124ddb8bd39bbb9717cc89a3329abde518358

SHA256
989949e8a2c243f29bf1969271f948911ea86d2f54f88b119ba111aea747afa2

SHA512
6716f223e9f44fc0fccbc87630043e5d32d9fd47bbeab9e60b3dd16d76c55f5a2eb389207bc4fb427391d4cbbc9b7f4eb51da2e258546932218b3bad2a2d79de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
3500770056d10c9b6cc8ade4bf70abea

SHA1
acce915a54e5c1ab1019378426e88cb2e1d5e53f

SHA256
04698b7c39ab2656883169013fc55c8a2a3d088d9ed8ec47bdd1fcf2cba67e7a

SHA512
44e67bf61d750d61fccda0cafacf4a03982e1ff26dc574454d3456b7c441d3f87d23eb6b8e5cda8337a0da1ef3260e87b565c337e0ef1ae7d21c14c97f6005dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
f0066babc6f5e9c7ab4a425a12a79988

SHA1
97ff59510a6bfb804ae0343f8e0ac1174403c39d

SHA256
dc2e097c062bf29c3986eae62cdf9913ff1b20f02a5ac3fabaa6c0650745f19c

SHA512
e9b7652f32015431ee9bfe165285b9ffabebe5ab00a0040f384627ce26f061db4bc9f89f9f8193485a26bdd2b2837b891fe3397cd11b939823811916c6a18d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
3e69d2b054cdab29cd593483028bafdd

SHA1
734df4f6a6e93fff90e1a0478b0d476ea98fa56a

SHA256
912a18687e3a59653b82eb9122e90b6826f65428edbffc5743a8af2c770c89d3

SHA512
26fb682791c95d0b3afa858f0533b101ae63395cde4ee46f7ac34bba4bb01d86426e32c4850a04f12282278fb1941bbf5c1e100ee55d8a9643b43fd4477155e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
c183808734199f073960ea6a7a590500

SHA1
9cad1371cc230a2989aea1c774ae949903abe6b0

SHA256
ab03ed718b88450ba7855ca78d3198cb85220373d912216bdbc48552041799b5

SHA512
c2c0d01ea447b3ae20bbbb10eabfcf1a47838494746221f9a65c7b4c2b522f56d5d0a114e8d787ae56ca7fbc1949d232bb8bc05c7dbff799001ddc3a34d761d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
681e9cc0b902fbd8704ce957065982df

SHA1
5f8212765bebfd27135f2441a8f52c2e105b2119

SHA256
5773462d345be1c6d7074a4de47c7093cb4f28658d9873f0ca4ea89d6b9f5ffb

SHA512
71d2bb2345b5feeae2837b45de2cc8d4b6cea297d9b7351bad0b497bde2488c0af11b974578f6a170086571d49ec6720ae568dda939e25835fc10f33a1dd8445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
27e87c23807bd722f2251fe38435a27d

SHA1
d12ed2644d8d7f5e50248968f1ca1601b354b8d0

SHA256
1c03e6e5932794d90baf8cab8558d55b6ea16423b72aaeda4b64f6bf402fbcf6

SHA512
c5538e5444c8e8bfdb7b24c60ed5eb1ba3576d46cb8166b568ea565cfae02dd53dc4e4908c4f95724329c2fa135deb9eeb04849a93f1f7e733a14c1f53676f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
0207b12bd8be37e0e3bce12217407eaa

SHA1
6fc56872bc8fb1525eb4cf9911342186400e2e82

SHA256
1903f58850336ec4d4e370e5e9d26ead9bd52904faa9f5c955021484e7251f1b

SHA512
18e8fec5e8a77f990913a1886411d40cc1060a0e1866e42870f1db3df80c92103704bdc213be715b1831a0460374e9e7af0a35dda0dda49309f5ecd58a242f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
87829b94a242d5a89b198ceafc5c3382

SHA1
d7329292fa2c31115d4d774e978c9439b228296f

SHA256
92cbe583590707bb1f026651da74a48e91918c3f8ad04f2a0917011d69250a10

SHA512
802d305c21bd72e80122360e74d496253d6df7a3793dc952b52a2d2310e354cf7e7ef8e7bfb200deb2578a313a6fe817ceffdee3bb94656274ddffd4a1d8b211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
2dd9c21212098a2d6f440da55fc10224

SHA1
e1c5ab9772b3fe8a5e665243470c4f017e076597

SHA256
9057a99c591ce3de28db7ee27fa885750bcfb938061c163ef266f70dd7853908

SHA512
8f0165b9a2615ba83416f8f9f3a87ecc07660e5d4838237c8b0477d64cce785cb40c7687b6a2e648e3c01971ad3e23e3b51af3474f7bab0b61ac5105d84fb243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
24cb8cc09c5f53de49731dcfe2b170af

SHA1
cb4c6a083b709834694bc87894a2a57ca16dbef5

SHA256
26460b13d44a377ce76746a42887d1276c2399a023707a8cc71ea6505243f8f6

SHA512
1b1180b0c62eb717bd8162bb8f71337a62b64250029039730fab096a25a00c12ae6a98acd88ff9e289ed872d9cc677e2ad75bf3d88d3a05a4a88a03dc8beb4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
2c73a7dac63a71f5a21f3f1e9cb98692

SHA1
cfdfb93fa2e45ae5aa8f718a1e9641f04a58883d

SHA256
ae87d2c1fcf7341245ddaade2b664dbb264033b49ca0903ec19fa530f50098e6

SHA512
b7fc9476ed66b189a36c167b35df2012e27f0642b592680b585aeee84fed468aecc403414a39d95c309e02737370e9f08bda36cd47b3d46b5739f8cb3d3b663c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a652.TMP
Filesize
539B

MD5
60f7d3bb7eea14bce2506e9f3f3fac4c

SHA1
7e2b1f662e4d277718a66c125a562a720761ae64

SHA256
9453aea15d49f3f02d9015d3d31d9a8a6300ce835fde01ebf723a6978f84f51b

SHA512
6c72f5dbd1a1405528390148d75e19de7d98ef6306626a92172e01a4dd63df678bbeaa103de2a9c9bfe8408f74b71ffd5ef1adeedd1d2cb81f236d9c8c864753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
6f6f58e20071f063deee3ae021993692

SHA1
897f2fa903dd93db40be4a50a62bf689f88eddaf

SHA256
fff5c92947de132732675c826874024f2da278aa8600b43a18f8a1fcc075f90d

SHA512
420f872c096a2436980c2cacbe47e5ecb8af4061cb9da648bcffec47193e6c3ecfb1ef84b8989074033e48b5fbf71b8fbf0dc7a47ec2dedf573b3ec9f8fc8428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1ef21cfc932890b7ec1ba16898725f85

SHA1
94f54aceb4d4950e729c68bfb8d5c3aa4ebb9f14

SHA256
de35088919345b9bd753469a712edd275cc68504926205d42fedda8daa647cb3

SHA512
75267ec9a20785de88ba295a6864e5434e8594fbee5d6f39ba7b974c16dda330d91289591c6a683f73122f5a36ed7ec4d3e7ced0bbf14ffffb965a31267a7b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9c02792a2749dc21d963176d43a1990a

SHA1
2e2112d72983158bcb6032e67a13eb8a6f5190be

SHA256
f1b2638b3140cb81166e6bc335c1bf72de1fb57ac64c6fb5efb5a425e4d50205

SHA512
d47b5d8368566d1a5a759fed279cf6d9994b8a0e9f9efe152af84855a26fc0907e8f3d6f44c0ad31c9faac9cc885458549f363de1dd418cf8b5f28a7c5c72288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
579b4df5daf06c01df903d1347bd3d9b

SHA1
8a1eabf6430cf3803ceae8c8bcefeab70d9e6f29

SHA256
6787ac9d1bdd3ca516b224e3b2320a2e9442829b9f7a48b18d36359693c67a87

SHA512
2704a624ad86192ef0bdff378d13d1b93614dcf55f42f381e331ad2ea555eca8806e30a6d6f717e8e6bec6a25d79568497c1daed0e0f874b64d3dbe06127125d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ca7af04e292c2e3c35c30b0d65500cbf

SHA1
4fdc36fa9d8a3b61a2b2735513f8421b91e48d0c

SHA256
2daab452a9cb772897bfcb51dcd974f65a275f4604c13869c3e81c25e3c53303

SHA512
a8c3a8fefeac2accbae15ad520c5ce0468cfba78413e65506b5299ec52677cd34f01e10fdf3f6a880eeb05a80e4aabf02253a884d06cccfdae601e2b2fe004a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeYoYsUs.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\Downloads\Deskbottom.zip:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\InfinityCrypt.zip
Filesize
33KB

MD5
5569bfe4f06724dd750c2a4690b79ba0

SHA1
05414c7d5dacf43370ab451d28d4ac27bdcabf22

SHA256
cfa4daab47e6eb546323d4c976261aefba3947b4cce1a655dde9d9d6d725b527

SHA512
775bd600625dc5d293cfebb208d7dc9b506b08dd0da22124a7a69fb435756c2a309cbd3d813fc78543fd9bae7e9b286a5bd83a956859c05f5656daa96fcc2165

Download Submit
C:\Users\Admin\Downloads\ViraLock\AYUA.exe
Filesize
191KB

MD5
ccf9920ac8950bbc43c127f75d5911e2

SHA1
a9cc9e58a14503d6781cf9b124ab4b3e02b83d7d

SHA256
fc8c9295fbaa503bd69b5b68a7836cedab2fbdec1597aa628e09d6f47bc55320

SHA512
f77134596bf93430aaab64e033a9a0fca8a45e75138aa098f78c01a4b97c85146529aeec3193bc599942e593d6c7ee55e0b674cf17baaa6b892572beaf80a3fe

Download Submit
C:\Users\Admin\Downloads\ViraLock\AYcq.exe
Filesize
192KB

MD5
23c9e0fba35698c9da141d4f99c32091

SHA1
dddebd071a5e4b50dc1810da9e88bda48b55b329

SHA256
249f4a0fd827310aae92f226529b55f01760fe86e268ed5bb8695be56d0dc26f

SHA512
1362c0cdeab34c4f7cd3be025d5630e30d394020273ae6a37c57b555b13017126e4a0e28c9a02f5ebd03208e59c6b4d6c58a789d2dd04ba8085fadb986274c68

Download Submit
C:\Users\Admin\Downloads\ViraLock\AkYQ.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\ViraLock\CQoE.exe
Filesize
193KB

MD5
133382d46f3385f87966d8e5ee24e43d

SHA1
dc06f67f0f9ef8c2e4b34a852d5fbee15dab9d88

SHA256
f57e426d52b1afd0aa403c687ae805a3c314617adb8ab720d61dea45c5171730

SHA512
1fe565ae4273dc889996d53791fafd22a5f56f26f9f48f23b67f2647bfedb7ba23a42d14dc7cbb90927d3e55b88fdcf0e5dd6747cec05dbbdd16147b61a231be

Download Submit
C:\Users\Admin\Downloads\ViraLock\CcIs.exe
Filesize
187KB

MD5
79ee3f04ef42427a7860ec662f7b3569

SHA1
d01f7f52aee3b3a48d74a78ec646144088be4f3e

SHA256
91fc91bfa6091068454e08833e18cfd510753d8e99bc85c1d4aec6094e8515c1

SHA512
572875ff9605546b92fce0c5d3a15152845cf024ffa4646f32246d833ce4f402b0f58b711b1e61caae70f6f47acde7bf950e5446d61d63709d01c545edc0fa56

Download Submit
C:\Users\Admin\Downloads\ViraLock\CcUE.exe
Filesize
214KB

MD5
8f02fdeb29d9afa892d03a9731698cb4

SHA1
61b47b5d034fcffb22b77c88f2aef306c12e8809

SHA256
238d4efb01625e9c3da64ebc87c08d45d6b90572a63e0737c31fd800c7e0b616

SHA512
8617185f4a028a8c4f409d37414f103a008387872636b77bc1f4f3ad200c98fac0558e7fadf23393e26c8367f75bfb98d6a13cc755b005c169921e91eb4f69b0

Download Submit
C:\Users\Admin\Downloads\ViraLock\EEYq.exe
Filesize
633KB

MD5
922e95cd5012808b5771a70b4defcdd7

SHA1
efb62a9c3ba97eb0b8245ed3d549b1a335829e8d

SHA256
a7172df40c93492d3c420d1030523c765c9877b02910b6deda53d8ccc65a4513

SHA512
e4dbc49cdb6d4a6ebd91c0efd696ebd7a667b347d640d7c832f8c6170bea8223b155731b511fdd21c9822328374f59164c1d4b6e201073f0e96e21dca53d786c

Download Submit
C:\Users\Admin\Downloads\ViraLock\Endermanch@ViraLock
Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\Downloads\ViraLock\GowG.exe
Filesize
214KB

MD5
0838435b40e5730e1c8ced31055a4842

SHA1
1b25f24b23f4cf0f0e68a4dbb8ec4d80170c0c52

SHA256
ac3277693fcc29e6aeefff5f9f702d9e60a4f59ac2fa91c654371b27006db5d8

SHA512
a75c5ce9393cda0b6d3793e468e6fecb9fb1c99665480463e941c50fd7a0e53219eace9d80dd2f3eef03fbb050f1bbb5de6d068ed3d6d67dbabcc9ab838a932c

Download Submit
C:\Users\Admin\Downloads\ViraLock\GsMm.exe
Filesize
194KB

MD5
4e4678ab6ba759db96a599f98d37db28

SHA1
7aed78bb4d0f8ec02dd3a0561f7ffdacdba7ff8c

SHA256
2e5831e6be3b4ddbfe2a36afeb5d9d5959519e2cd049240be28049175d4dfe53

SHA512
8d22029c6b0b75982aee1a2cee7e5c045cfd5567601b8b150eb904a1b1484e4d3538c72cac61f5cc833abbce46cf5730f068564e86454bf1b6eadcdd5aa14cdb

Download Submit
C:\Users\Admin\Downloads\ViraLock\IEMK.exe
Filesize
187KB

MD5
8e0d49e631cccf97db6a343001c3b04d

SHA1
6bd43c9ebe72cac38ea2e1d8796156ce7d2d1717

SHA256
87681edb7d71a1940b9c7296029756fc97711c63820333fb22afa7db1635ff52

SHA512
6d590233a87caeb03a083ee0ea73f70647f280f3f98b9c9cfcb93c2d9732d3370b692a68acb0477d6b99422030ea81780b58c61c6e81d76e6176045ea0dd5284

Download Submit
C:\Users\Admin\Downloads\ViraLock\IkIO.exe
Filesize
828KB

MD5
afa7e987921ef2b421d50fad27b2651d

SHA1
b43012f1034914b5e635643d6657e1eec1496b90

SHA256
9d361ab5f420350b8bb452f6190ab907d3d48957f12e45cf7e544bcc055b7f2d

SHA512
c2a53883f5498295cb78d2eb0084265ad140cf5483a7ba48450031f0ab8da39ee651f52f514dbc809d30818294989fe1fba68a082ea25a4c7db1b68eda72e4fc

Download Submit
C:\Users\Admin\Downloads\ViraLock\IocE.exe
Filesize
834KB

MD5
a4565b3d938682b064cffc654d29fed8

SHA1
443d4c57cd7976a68696d0c100d4d11542bc54b4

SHA256
ca3f417426f604bc35b60bf61815eedf4236f9477a63cb74f6d277750be16654

SHA512
f1a153c92647b8dce94f716ecf30e81bd700b5bb4dd34dc439804bd7394d4c81ee0c9b8c7c6539d022b04b9a0b7e8543d8896a4499312fb4faa527bc078b8731

Download Submit
C:\Users\Admin\Downloads\ViraLock\KEIA.exe
Filesize
191KB

MD5
b4323066d66daedeceb68ce6b6cfbfae

SHA1
fe7c7826aadf3a71b07138b5456bb9f58491e2a0

SHA256
94fad6a853f6640fb2ad2fa318d0efd5cadcfbc504cd30a43598e6df2ab8b012

SHA512
ae633d6a1ae63ef087cd125265c4e7c54259d19c77b0b5c624c0baf17ca3e2a158310e297a12f45b46e6a43734c1066ea65bf7243bfad6ebbd5ce748c8205740

Download Submit
C:\Users\Admin\Downloads\ViraLock\KsIk.exe
Filesize
195KB

MD5
25df994ed58a8449da2dbff3455cc2aa

SHA1
2d5d1a83402bcf7837698fc4533cfce35d9c0985

SHA256
5dae6442db28085b305659a3da68b672519320458e1312b97cfb9fced8995352

SHA512
47e8437e258534181ed694539ea6ee2c1501dc50927145998a348f1bfbdbbe7ef501c5a4bf282f04b8e99abbad5d7dd01909c55d4b28ec18141861c3e1cfd56f

Download Submit
C:\Users\Admin\Downloads\ViraLock\Ksou.exe
Filesize
189KB

MD5
a8b91eb60c969bd16cddb8297874187e

SHA1
c60c90f88648dfd48649cc278105f2093c2aaa1c

SHA256
92c3b6445287d61a0361a999c5da600fb76ebeddd5d641296416d707465624fd

SHA512
69b10fb82f833893d175ab48bfee1b2bf1234bdad49117d5e4a9fe8cbb6f60a4f80c001a63d5687feeda113be40929786d5cac87f42530db93b87a841ca3e035

Download Submit
C:\Users\Admin\Downloads\ViraLock\MgQK.exe
Filesize
184KB

MD5
cf0bbca0635f658dfe94f078c56c1ec5

SHA1
0b23d14e1212c76022688ffc393054a206d5dc1c

SHA256
a7578e6080a2ddf78304ed5022648b26d031ba7aa58e7b3218d7afcd0353e599

SHA512
8d24b99c9c03c095781d17557cf1611aff46615c437083461d2e12238ec938fe11d37a2cfe052d2a0bab3ac2f41976b2bdc9c4649ddf837eee86bfe836ae38a7

Download Submit
C:\Users\Admin\Downloads\ViraLock\MwEQ.exe
Filesize
203KB

MD5
0f93ee615f356458663c91b1c91f0e62

SHA1
d390d4b4d03d03ebc6665c0e214bc32fc22e2617

SHA256
1e78e0b6674bbdcfd573306d17d98199af669340e6f7eb9afb36e00d6d2626fc

SHA512
6d2c998849cbd9871bf5b2cd0066ebcc87e934524e042db769cc4c9f554c4536def9c96977f3cf9f75abeefe57d7a7509537e083564586f2d2bfe509d9d5576e

Download Submit
C:\Users\Admin\Downloads\ViraLock\OMwo.exe
Filesize
205KB

MD5
7b0c66b82a38c46520a988b778231ef9

SHA1
c2e00ca74bd0bc3f769f6ccbc7f6aea36ca75a20

SHA256
cc241a9f57b95a6a8e9619db8f5c3aeaaac70ddf4d7af831a064339fb4327621

SHA512
b7831d07afb71dfc0de08af9b2a9479248b578a3abbe375437ee8fa99f4e381a315b527cc20df7d835f8a427a5a1774afab81c43aa1abdb2c85f8b280b709e19

Download Submit
C:\Users\Admin\Downloads\ViraLock\OQEY.exe
Filesize
657KB

MD5
2dd3cd819ef3a729f5cf00b5307738fe

SHA1
c73fd91537a9f62eb49fb09e1e113f0b6c3afc19

SHA256
ec250bb3ffd5c66306c78d3c1ea046b103a1886bab26c0c02d907d37bfc46c91

SHA512
8251bff74c71259c98d3063bc89803fa4a679a4b8cae667e10b4a9330c9509690de3c925e604e556cfe82a9304333af731006eece1efd7ac5c31ea2668714ec1

Download Submit
C:\Users\Admin\Downloads\ViraLock\SAIY.exe
Filesize
196KB

MD5
49d5349d936e3bc5a64683301f4f6db2

SHA1
cbde60ade5a71b451696d38ceaaf13eef2d355bb

SHA256
4f6a7b3bf75e8c6a7f2ed56555a695fd38149910d06accc37fb97aa700ac35a1

SHA512
4caf04d36d63e49bcc90e3c9770c19de7326d857d1d8d36b285b1c324ecad7c175bfc6764149430211030c1c4f9291ac791d56e1a2e682efbf605193209fc31c

Download Submit
C:\Users\Admin\Downloads\ViraLock\SAci.exe
Filesize
201KB

MD5
fb2a90aeb65166c53912f84b641e833c

SHA1
66c7d86022cfc5fe607ad8dd07ec0ff20ea31b7d

SHA256
5dd41927699ffde135f27110f77e73df7d5081fd38e02c5ff04241fc9a54c104

SHA512
0d9cf33956799a6d5bde60464b21747b49d08434be98cb0dfa97bb9b2d846ac682f5c1e75bdee8a88dff2e7368c288542dcb6a61eb1ce182a59abbf2dca03ace

Download Submit
C:\Users\Admin\Downloads\ViraLock\Skga.exe
Filesize
233KB

MD5
bc4e98f5845ce5bc70cc2c8246a92d42

SHA1
18d4ed88fd0270f9bc38324e22e981fdb09c4f8b

SHA256
b5c6aa5ea95a69d6af606b1979122c831bb12c1f9adc0317dbe9db639e1bf6a8

SHA512
4868267a9f95fe899c5d1f714d2ec312632181b495ebcdc8d635f273e548bcf4b7f933ffa76e234c739c7ae1132909ed851197b74636d8591dcdab1445da70ee

Download Submit
C:\Users\Admin\Downloads\ViraLock\Ucoe.exe
Filesize
205KB

MD5
76fb847680f96c6a21d5b04c3fd888b8

SHA1
4cef0d93ba4f447ece13e0e436560115a0f91796

SHA256
8c00646a8d4a7dfa94ef06df66dc4b2e32c18ee4f40cdf2d6d5e2d4ec83e32ef

SHA512
9325115de532c26ccdc0ee37eff5e28de627a3c8b9e90236cd3f384400bfeb71f9d16711ce0f76ed0526e76ee483a20d898dea29072a697b7bf7ef3f988c9201

Download Submit
C:\Users\Admin\Downloads\ViraLock\Uskk.exe
Filesize
792KB

MD5
c40d3e74ef035bad7297ffb35d7fcc28

SHA1
d10a7a11da5877104cf5240126e3b235c73bc27f

SHA256
755867397eded39beeb697fb951e6e7396a65b8045e424d704fd8c2974394b1c

SHA512
9cf955abfdebd20383b38f2c78ad6bb2a052d9f0f76bd65218c1ba3da0b1b8d5afdb5c32f9f8cfa0bad46c89361aa1e1817312126eb45a73571748d90307bbb5

Download Submit
C:\Users\Admin\Downloads\ViraLock\WEIm.exe
Filesize
323KB

MD5
8ff911915a3eec1f80e7fd139d737db4

SHA1
d1712c5a5d99693c05d6e1458b89df87fec3454c

SHA256
7700e5d02766263729dc69e8003163c31dd906ff68cd13e1389b3acbefe498d9

SHA512
0b4b7e4efced97499151e94ebb3589437d99b310da15890ee104134733e91ccf92fa2b9a8ad74dee779104cdf1c24027618f7ce51b60d96addcd2b3b3c602308

Download Submit
C:\Users\Admin\Downloads\ViraLock\WQYI.exe
Filesize
205KB

MD5
99f4e64cc2b2f58a6752c41b7e7b8eb3

SHA1
19e454ff57c22f5fd5f832692be346675f9991a7

SHA256
7a1e3eb2c5a15d1a574785e9f621c3c42ba00122e9149bae6c914736191a08af

SHA512
653db4d5e9c5d6aa5f4fb71e196f02f7af495948e7b46597f3efae2ce7119584abd2e618f65cb6d1999e7e99d8c19ffa0d458e9340c6ffc99ec2a66a1d1632ce

Download Submit
C:\Users\Admin\Downloads\ViraLock\WUkS.exe
Filesize
206KB

MD5
386095b4bda4ac54d27cca2fb1bff4e0

SHA1
4f43bde3dee6f6f90a543673ce44e91408822330

SHA256
43f4ecf222f24512b7d1189672cb5e6c26a9c252db8a22be4d7817f3596deb8d

SHA512
b9167305b0ea3ae66364bb83c4184da77f42ffd1d4146f9dd70df70734b6d6b401c9c5c8ffe79aa5698805e8cfae57710c3d8b7dc895eaef7bc8f58001bc7274

Download Submit
C:\Users\Admin\Downloads\ViraLock\WcQE.exe
Filesize
188KB

MD5
e1e333e8ad83290103b04dfea4800630

SHA1
51fac678ebba3eff76fa12b94a62d39c8afb9bbe

SHA256
52782698a289a55af7aafd0e435060c4b77fd459589cf43c5d457a86ddc83d3f

SHA512
f914636afca5cfde2613913acd74835ddcec6ed23db35a265eb47d5a182abeb9dc8e375bde148a6fae4b17be162f7f938e0ebaafc6abe10a6876c3650e8e7db9

Download Submit
C:\Users\Admin\Downloads\ViraLock\WgMQ.exe
Filesize
221KB

MD5
1715bdcd54e58c31ef5b0fb8d217c2af

SHA1
36865c57e493121c23ee5deb2ba9fceb5a7ee38a

SHA256
52a18493bc1af167a67530150f54bd7c75f152b92dbeef32eb9ca4cacf014bed

SHA512
a86f71b8daf7b1d453700c1dcf4c6d94c0e9562a68cbdd0d2ba07fb21199d7e86675bf0327e2a8d744a08b7638dc577f26b8df15a304a4c8d1bde68b041f9618

Download Submit
C:\Users\Admin\Downloads\ViraLock\WgUc.exe
Filesize
656KB

MD5
62eaf929b7dab44bcbbb94992a268c65

SHA1
b795cff1f1393f90bbafc3331f36338247b9a81a

SHA256
848ca76577b3cefaf01e25de85e17524de84a6cf62a954f33726243207b89687

SHA512
3628704069a96363b95871922dac4a3a5a860769bd7e1b06d93ad59438df2d12578b59b4e10eb11c46cb96ddecfc2925323b3d1be30db6111efd9118cf443c2f

Download Submit
C:\Users\Admin\Downloads\ViraLock\WwIu.exe
Filesize
186KB

MD5
ac3846f5ff3ade964495b11ac785c7f6

SHA1
050088c8a53b4b663551116eae00c4351688a83e

SHA256
1dbef64808fd61035c980bcee5a888aba6c8d4727d63ce53b9f44929d7e8177b

SHA512
e9d04765108b2e74b360a8c445e06d71df568271f1141503b9f82370abbdaa0bc35770d1f63a8b0fcd163e5e64858de394224d356d657f314cd01d787512067b

Download Submit
C:\Users\Admin\Downloads\ViraLock\WwoY.exe
Filesize
199KB

MD5
b7343f2b2787766a6f4d4ed1f84a668c

SHA1
14a4e674b22f6780d580e4ce4c1a15603436b70a

SHA256
6fb939d2d3fc36f789da5b2075e4f2d0c6ff49065d01d390f733f8260950b6c6

SHA512
dcfc2b06169f81902953e15becfc9c804b967001e68853cfb48a8c9deccc8ab0b1f552ca401f21cf3f0903411ae5f208ce17296603067f2e007229d3f62baa2f

Download Submit
C:\Users\Admin\Downloads\ViraLock\YcwW.exe
Filesize
202KB

MD5
5f30af743f6654431c90c16202450ba6

SHA1
6808dea748316788a663a50e548a51a66e229d26

SHA256
a64b9ae0f0920bfbed5deea8a84c8130563f07b56e153fb78de1004403ae41c6

SHA512
4065b219512b45995a081efaeca87ba994b6bc23f8ae2c56599d2700db9b67a781b2e1f630b8cc922faa4294008b4402c541f2e0f1277dc804fbd452e514c019

Download Submit
C:\Users\Admin\Downloads\ViraLock\YkIW.exe
Filesize
208KB

MD5
abb49f6b04caedc4d0b722d90b268cc7

SHA1
cb4e926621499abf6cd7c1ea4b08bb76e03825b4

SHA256
c71e9fc30e2ba5a79a13516b6205d5342f9596333ae76e1dc883772cca8b38af

SHA512
99a89bd7b9ae7e4790300aeb905d1c517ad23c4c918fb61a96ad4569a55f07f4631e260b78a37460d6733058f328f85a53573c1ac838f983f088baa0baff1267

Download Submit
C:\Users\Admin\Downloads\ViraLock\aUYg.exe
Filesize
207KB

MD5
4975abc06aa8c9a260fba5b7b0e72ff6

SHA1
d5f9348d5e29a59a9f07f61a3dfcddd4e32683fa

SHA256
8d4340eb2b0ce554bf1de8bacdc4ddf33a7d44f4165d50ae89dc21751af42271

SHA512
7b9785d08eaa3df05233d55ecc74ebef10a197899a4a5503d5b6af185f528c0d2413af8ba630ad6e1d34ba9e7f9deac0a37b8fef484ed98d548e7f2f2822b021

Download Submit
C:\Users\Admin\Downloads\ViraLock\akgw.exe
Filesize
188KB

MD5
b1e7f2edcc21da00e617a264dc5eeaa9

SHA1
b64a6febf8005b6340c51715fd5554c1ba8f3708

SHA256
e7fb02665204856dd016d1757f4162191529633e34c2b8036e2975bdffcc3397

SHA512
53df347aec92002d0513746b3273539f45838d073f59a64bbfa1cba79739dd42f15acdbf4d02e804f396bd76eb04089f4fc478f187c17e920438f9a760c7c4ce

Download Submit
C:\Users\Admin\Downloads\ViraLock\cEMc.exe
Filesize
186KB

MD5
41bb9a03c970d155ea0c19627478d49d

SHA1
9064e3a022d8eb206ab49adf8261016af1107a43

SHA256
1cc260a6cf6e5cbecd6c99703fcdd5ef4fb866749c088ebd74bcd8b16cffc4ab

SHA512
35310e1e87db051507aa97ff7035bc5ddbbba20a8b38e87d1f3c677961a6c945561000bb0921a41ad317d55c8a3fa6f0296e035c0ee9a00be0f88133dad2db90

Download Submit
C:\Users\Admin\Downloads\ViraLock\ckEU.exe
Filesize
799KB

MD5
8bad36b0d46e9d01311573fea2e6d0b3

SHA1
70367643dbab11892e29e549a9d0f09230175edf

SHA256
35e89bf4db656404689bcb701c34c0f9d2804e7ca379a88f592b947a8c129929

SHA512
7e3318ffba1b45fe368c4d3ae6e99509bf8c7ec37533a289218409ca46c110a4f14a530afb4f7890a6e65d8beee748bc59f4fb9c30ea443baaf3cfbc14ed80cc

Download Submit
C:\Users\Admin\Downloads\ViraLock\cwIA.exe
Filesize
205KB

MD5
0f4e967c9e6602a8f7a7be4d28dba22e

SHA1
897a0d3e6f758a3c4db86a8fbfbbae94ca81409f

SHA256
8532f6732fe58e35cd7679435f0f0173434125cf2bf8162d1674794c6b748ef7

SHA512
790bdd0f1bbc5b40b65bde62756a58741eb89d8678df8f0487e3b95ae8a791338911bdcf295823869beacb674233bcf1d23a6dbd293751285d57d57388da2a93

Download Submit
C:\Users\Admin\Downloads\ViraLock\eEow.exe
Filesize
225KB

MD5
04e77c10f95aa18be2dd69a7a3a71e51

SHA1
0fa84de45ba438095bd822ee02bfe550e766e16f

SHA256
7a5288fcfc1925401c2d547c7c437f83d918c214620ad0da89f4629dc6b1874d

SHA512
89a8d564a64b24e17cdfb58bb68164bb1a4f95080565a090aff0fa9595caa42e9ce483a65cfb666fde629eb44c11f9d9ee47976d9b73f437e976347ac562f921

Download Submit
C:\Users\Admin\Downloads\ViraLock\eMsC.exe
Filesize
189KB

MD5
fcb52620d5dbde303a8e2399a0af6ee2

SHA1
6942e35cde044f001d2bd016653bca13427206a5

SHA256
3cc59064fae2b0f03ce62630b05a2127c0054b2745ef69cc2a27537591e3cff8

SHA512
df0d21cf309a58cc001c7b26f1bb626171c35316bb10121edd1c68757581053a129dc359a991f6ea2d25f343b2e8386169d3c084ab7aa9fd27034b50f58b3f8d

Download Submit
C:\Users\Admin\Downloads\ViraLock\eggQ.exe
Filesize
192KB

MD5
59fe249f10830a4b2e4b3980880cf469

SHA1
d5b43c7a7701c4b6baec094025642fdd7daf66dc

SHA256
e9cf313c725f61a58ec7274da1776a9d2b64080948ff14fb851908a2ca698f68

SHA512
df872575a5c45a35d0f83e82b6ddb6aa83afdb9f5f6da78bc05a08757a3c93cc7d24aa4145aab0eee934aa86cc2d4786a689958a27c28a025c420460737036c2

Download Submit
C:\Users\Admin\Downloads\ViraLock\gIIa.exe
Filesize
212KB

MD5
f989bb0aaae387d55e9820ae6b1e1724

SHA1
e765709fced27068e5855681cf3661063564b679

SHA256
7ff74ddd23a5abd5b9a44c645f2aeb4ad440fa734cc0ba9abf5e9e63054b720f

SHA512
b489efeb263687f892aa62f6c9f3ace662532fc50bdcff145ee320940ce525b3a8c17a737e3120c8d29cfe859664add89750f19f37943e4d8e70d82831e6b7f1

Download Submit
C:\Users\Admin\Downloads\ViraLock\gQsK.exe
Filesize
201KB

MD5
bbff3ae17b90b7c4aa928b510c5045a3

SHA1
95e861c8a75040ed9bd5adf8e2a7e17d16759e24

SHA256
d537e14aaf50f07d123329532902400b96fe454b9fbe1757052be906bc401de3

SHA512
c7b5bc315ed1cc0fc669501ca2dc7902079d9e2756c6c5b0e351013fbc8a8321f9074f74deb8b58ab31473355d0a6e7c11629d698945726172b3a0d87dc4d486

Download Submit
C:\Users\Admin\Downloads\ViraLock\gcgI.exe
Filesize
197KB

MD5
58d671d45b59f329254a3d03c38e6ea4

SHA1
eedece59a7ad4b0d9560f85024638b91c86c1a9e

SHA256
3e95254f6ba40f7781047db38e6e422c239c4320fb4d923f5c34d78ec0a90ce3

SHA512
15e0bbc8c8d5c6c1e56b2f8a8ca2cb7a04bd9d6789d4b82c668c8d036d68ec4412d5b36dc2932476f5897e171434228ed7119ae377de72ce6e4afcdf2903caf6

Download Submit
C:\Users\Admin\Downloads\ViraLock\gggq.exe
Filesize
195KB

MD5
95a3d309d330a560fd5d2baf0de2edc8

SHA1
9436c7319f2a8767e8ccb689e83e75e19cb64dc0

SHA256
c1b2951936f95a4128dfc8739ec6484ffe2567abbb0ea32d5f02f07b845e2204

SHA512
1392cc6017a8d5fea053ea1c551b9472e668fc7ef4cd253bcfb8f4cad62ec9dd34b23bee3ec8c935d51c728e7d4878e5ff5249bb013ba518e015ed00afb80e75

Download Submit
C:\Users\Admin\Downloads\ViraLock\iAEs.exe
Filesize
193KB

MD5
15a25ec03b6fcb257d54775aab654cbb

SHA1
01ac9716bb570b90a7c031e191fc1d74e94c03a5

SHA256
a7c6376fe6fe145951b9cf94f5d8c919d6fd58076d2734d034f24fa0cc68f76a

SHA512
569332d4a6b6f1098ca1bede2553eb56fd2f6e7a0420c2f13314ff4ec04f06d68cb9724423fcceba762e256920676e7dd02ad0a29cb431ffa7ada19eff43a9e9

Download Submit
C:\Users\Admin\Downloads\ViraLock\iIkc.exe
Filesize
191KB

MD5
2699328c532ecee52901c3b304a4b888

SHA1
7bb47f799829a765feb69a8efd69386af5757608

SHA256
93e86e055ef0c796e5e5edb622e97501835d267f183d3e4ba4e9e3be2f90d6fe

SHA512
b8863f77c9bdab6b39ddcc41c5efa29aa2fd244d32c6a3b742d1e7f84995d5589a399c17adc1a0a5326975d4f88b2ddd5cd1552a9ced2e3dbc5fed70458a3657

Download Submit
C:\Users\Admin\Downloads\ViraLock\iMEg.exe
Filesize
199KB

MD5
88c878389d14c4eb7a63cf98a7f20e63

SHA1
42ee0c538b9ac0d35a324741762addf2693be0aa

SHA256
ed7ec73a8ea624ebef2cd8df664691eeaf3cbdf63615d93f8687868d84d50e9d

SHA512
32f0f300e8b08f325c9f0c6ddf80ff88cc372d919ed7ed64535a71fa8a4a3ec7d0bb9ad6eeac38fb3bf42815be49c3fed90894e9287c15d018ea29ec575a9d9d

Download Submit
C:\Users\Admin\Downloads\ViraLock\icko.exe
Filesize
186KB

MD5
5c9f0e29c12b42e52473b66360a80ba3

SHA1
31ca9cfe46e2bd6d8523574e395924e62cdda924

SHA256
121eebdbcbcb1ebc10e25474fc485d72165d66af67e2d9eab1e9108d211bcad2

SHA512
9ecf707a63da26c2c64f2c11d080fee7763cef4adfc049e989c18a6471e494c2fc67da8976f90e9af9fd80f55393755a061935c6b466eda92c561e3ec4b18ff0

Download Submit
C:\Users\Admin\Downloads\ViraLock\ikYg.exe
Filesize
432KB

MD5
e89b5240ba3592d0c65985ae454ecb71

SHA1
db74ed0bd63830c54df052ccb29d369eac60a734

SHA256
ce4dae93854909fccde9816816984d3a8c5df27a655a4c3af754388fe3d46513

SHA512
979badf8e7d5d301c86387adc8e787889a14db64fe0967e397ef77c4188433e6828db8638d6f8e54ad3c196f45c007a11adcf6e3aff3cf5f8b51930d1b40ac08

Download Submit
C:\Users\Admin\Downloads\ViraLock\kYMm.exe
Filesize
5.2MB

MD5
81e80393874627cab7efd5541ae06d02

SHA1
6e7cd460fcab6cced131ce6fa3e56402f46e4052

SHA256
a8b1608174b2934de79a3c80ed3efba920d61efe25867167b029c3477d2a5f5e

SHA512
f47b3a5b845764bbe0d99bd8719b724ac499ad2b0292a1045a679193ef49b8deb99c371a94ffa890913d4924939a166aa2cb572a392f389d0aac0dfe8049d305

Download Submit
C:\Users\Admin\Downloads\ViraLock\kgII.exe
Filesize
207KB

MD5
e66d6374e0e695adbdd6511295ed64c0

SHA1
e9e3205cb6e0b4a893e70d8012388e2d9f99d932

SHA256
9b85005c2be75f8e118907b30354a383071264de0174c56d060a0b6a34100a93

SHA512
1398608c6627f206e94a24890cf7ffb3469d156ddb64ee5cccfd07a74d674fc47ce620a770f797d3027fd82e2816ccd75d62a38bff252510f1196610c9d7310b

Download Submit
C:\Users\Admin\Downloads\ViraLock\mMok.exe
Filesize
188KB

MD5
74624534bff2cc203552395cff96092e

SHA1
a02b1cb0bd0c368d4c37f4e6bfc6db831366438c

SHA256
62b6d4f3f230006eb697f2681e4daaaa6939ff72aafac6ef68e95b304987261d

SHA512
fc550588c3769a9a65215dce724e961129e246ffc400931ad5f67f16abd16806ea33c5b82e3d9564c5c467c674011e59fc4c296759c7b8d2c47cee078f9af137

Download Submit
C:\Users\Admin\Downloads\ViraLock\mkgk.exe
Filesize
209KB

MD5
73d82633cf4f1512d0d99c949d680c17

SHA1
1a3aa93ee4aebdf1a83526f1d70448f6eaef2d44

SHA256
e8021274c74a9b7bb4bf0d6a74b8efa4faff3fc9dd736bdd57910a3e1661fd74

SHA512
16b8ea8cfd2cbb94066d0b0eca527ab9b409220789c255dce5893e411c9e0b180e81bc08e7dea560f417327f9623fb81d129bd0a173c186af0240f117d2910f4

Download Submit
C:\Users\Admin\Downloads\ViraLock\moAk.exe
Filesize
773KB

MD5
8f49c749ee3b1b7fd501ce76f3c9b437

SHA1
a2823195b9662a79fd6a063abc6984625ec70606

SHA256
9a5447f3979d145136ff536db8dda3dc883eee99a6961c8b80a5baf80e6b6e38

SHA512
f6481f689460e08760a0d812d133a58d436536720587ce7bbf34197a0622d8ec5d9e375c06c2018bfbdc18bd3fc80323d8244265c2d69dea0342b22abcb88133

Download Submit
C:\Users\Admin\Downloads\ViraLock\moEI.exe
Filesize
188KB

MD5
e694c1da705839e1bdaae1a9ad4c78b4

SHA1
bc343b9c22272d3234d30cc12f47fca28a6b19d3

SHA256
43c0e0e360568c5e2e5f37909ee916abc9500c48e7d9f127ed4014c71bcc3519

SHA512
a6aaf661295a05ff7fb05971db137c44d790a3e8ccc62d64e9df3d606b6dfd42eb57c15e73564541d5bda1ce750a83e353775f7a6e54164d21d5de602517ad0e

Download Submit
C:\Users\Admin\Downloads\ViraLock\mwog.exe
Filesize
315KB

MD5
656d369faf9221c3ada9afafc7cc5f0d

SHA1
557f7f98a75a79e27c4b376f691899e47b084f1d

SHA256
4e76753ff1e9f267f60b560d98d04f05a01955607be924ade59136449ac9d6c0

SHA512
5d99691f291531e2cb3a128872ea1abf6c9187411c9104db7376b59ee7c60756b8223fdb8b9de88ab402916369cee7a9fa042c41bb526edf5ae855a6354c17a6

Download Submit
C:\Users\Admin\Downloads\ViraLock\oIkm.exe
Filesize
193KB

MD5
736de402ddc6c3d7a889a0e6986bbf79

SHA1
04f3644f7260f30f41ab49eff476dafa87e210ca

SHA256
92b09e2507f522e65bfd80a30043d1a8784eeec367a1a9219f3d01e741fba1c5

SHA512
af5e556da0b5abb1291cc467c3590166ffca71a06bdff8b36858d0dbba3cf8b8a3c33853f399a82aa06a8e4b99a3ea72a0d0518110e6d71f7604ae4b9ea2e924

Download Submit
C:\Users\Admin\Downloads\ViraLock\qAYC.exe
Filesize
198KB

MD5
ee4a8fe05e651276d42162ce36eaef6f

SHA1
9305f211536c1d5c54f2a66ff93b80d0e676c5b5

SHA256
a21b4035e2219015c96d5f4ca41dd709878f462a2e798b34babb362cce17954d

SHA512
b1038b521ab6d988dc0b1b3136ccc64afe25a7f1080a976b8ad7f21a2ab3bff64c567c152439f16165950d5203257a567390f307b4c498f86ee8676cbe38a33a

Download Submit
C:\Users\Admin\Downloads\ViraLock\qEUM.exe
Filesize
187KB

MD5
0a1b74c66f25994e1ff582d01b915706

SHA1
6060137a09a82c0bf3927965e14a9ab5097828ae

SHA256
2bc97ce616d243b7ba084d8caf4c1f12f98729f73edc244f8f5849e96a05f52c

SHA512
dcb4ba024943fd609b1a5473d6dc56e4bac244ea0873cb4a6a8357a1040312af58245a031315972b8a2f701085e33cf71bf835dedaaafbc61db2c2892444f0c2

Download Submit
C:\Users\Admin\Downloads\ViraLock\qIMQ.exe
Filesize
188KB

MD5
087d7f6d0ab840b40ebbe90594f959d8

SHA1
002eba2304be35b301d9e91102001a8c4a61b300

SHA256
6e8048081a8130cf41a5841ae3c13d4bbd998dc269683da001e6532f45a04626

SHA512
d2650aa0b293a8e7cfbee0d9f617c48139a19cb0920b501db88452a9a680e287ff7369bf94c967d1c4300944e20c7d9805f4cab7becb03e4241f37678accd3cd

Download Submit
C:\Users\Admin\Downloads\ViraLock\qkwg.ico
Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\ViraLock\qoUG.exe
Filesize
562KB

MD5
f5b6442655f7ca142d8fc882b7a08303

SHA1
e0bb3e621ed9799e6684657c3b3dc2cbb532c8b3

SHA256
4c207843f8a7bdcd5836f02c2b80cf70667f80a9898b08bb18b87066664c566f

SHA512
5a56941bfc98626191273797e567eaeea5e006332e312779413ffc3c5ed4682bbf022f57b7aefa81ccc6ab9a48f1a72154c5fc8e790d25906c429e7625afd554

Download Submit
C:\Users\Admin\Downloads\ViraLock\sQAK.exe
Filesize
189KB

MD5
fb431f7ee13a30b4a80925c31296a5c2

SHA1
fd53289b89532977f2296fd6431a735ff86426e2

SHA256
821cb980c1397e780c0635e6cdeb3c4bebf5f03e0d9340500b2ac5e305a746c8

SHA512
9f9a28fd34cfd3667e4e51737ed7981726a9b23ff87f45ed29ca69d2dd08e3bec314f309da6d0525b9f12a6ddf053a0ef3c16e0d2939c1fef54df605017508cf

Download Submit
C:\Users\Admin\Downloads\ViraLock\skwI.exe
Filesize
196KB

MD5
f5af05366c3e824baf65cd39bda5e7d4

SHA1
f353ac954f94e509b19aef60d81ba55d22fdd37d

SHA256
a7c04c6cd22c21f321f12c6c542ee1538c620483b6b54a5ee6631e3ea8e75908

SHA512
636cf9935b30ea5935000aaba10e53a8671bf69bb4e1adffdc135f8727357ba2058632e12e3163341feb47ed9bf2e608d54e93c9f4b0998289d7ffc9ed72d289

Download Submit
C:\Users\Admin\Downloads\ViraLock\swUO.exe
Filesize
647KB

MD5
b5b21511d139a191c8c9a16b61eff3e7

SHA1
80f84aee3970e354d35ced9eebc86bcade43b022

SHA256
efffa942c3a607f0417a947d2951c965a9e090ab8926fe3f1e43919e926c0581

SHA512
9f0bd9e2dd11d82dd02926537b5894cb0fabdd7e5af1d2e38ce3ef7efbbd8e3a9c711e4297a95aaa8fa0f6a8c15784bf144b58a4cc08fb21363632554d096d69

Download Submit
C:\Users\Admin\Downloads\ViraLock\wYcG.exe
Filesize
194KB

MD5
08d35243ba2111334eee631e15b0c4e2

SHA1
8f411120de32578c5b4c2da0c817149c2b0e9f11

SHA256
89aac8cfa0823db4d3bd5952bd62c2e2c5914c03f83952f579308830fb1d55d9

SHA512
51070a12d0617f2d88ecc46bf5ada7e9af88eea57aebcef20650f1b6c95bba08e8d10831b6ae47ce1cd2034b319daf6765f44a580122ee607cfdc0d5100297f1

Download Submit
C:\Users\Admin\Downloads\ViraLock\wkQu.exe
Filesize
259KB

MD5
8b8265a1dd80e72ec7848da9d28a0a4d

SHA1
65d89c0a835b9a776d343186995bb64c64128789

SHA256
657d8c301f1662c7e849e286154a25fb210548beabae70bef36b1956c3e6d1cf

SHA512
d7d612fb5d3dfd9282fa68b8221899be56a5c4bfce119b8f7b4ee2b3e72dbb1e292f62887f0974281ad0cda5292342bf232830ed098c7a5d849abaecad3feb95

Download Submit
C:\Users\Admin\Downloads\ViraLock\yYwu.exe
Filesize
640KB

MD5
ff099965934ae0857b6e4daecd6e2fd2

SHA1
49c655d04a9853158ea5a95f0047a88a9a48806d

SHA256
29d3ef4148d9ba238ddadcdda8f3d8ede3512ccf43d0e1cb80edebcb2c9f3b11

SHA512
abf86239bce4b68e8cd391ca38ea257ca9ac6075f4d0fe20975c6188399557798b410410adb7c601fe31402a04e847879a3fdf5b38210d0f8a9ceed4adcceedb

Download Submit
C:\Users\Admin\Downloads\ViraLock\ykkA.exe
Filesize
775KB

MD5
0345514c0d31f83c68f2f5df20047862

SHA1
8d0e25511c4ef56cb88f0612a3540f1992774d6a

SHA256
b331e5986ec27d5acd37811d409030cf0df0e32d64f1fd6b5c9640dc236c4df4

SHA512
4c16a82594fb91c5b9de1ed6ffc7aa2865dfb16ab7acef63ac18b0f1abfb6832a95f687989903d1853e3b2e2fc78c250cb37e27e0e53346a90e0243abc7d638b

Download Submit
\??\pipe\LOCAL\crashpad_4048_TLLQHAEQYYMZYXMC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/412-5028-0x00007FFF693B0000-0x00007FFF693C0000-memory.dmp

Filesize
64KB

Download
memory/412-5055-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5035-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5057-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5041-0x00007FFF66980000-0x00007FFF66990000-memory.dmp

Filesize
64KB

Download
memory/412-5069-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5045-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5058-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5042-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5026-0x00007FFF693B0000-0x00007FFF693C0000-memory.dmp

Filesize
64KB

Download
memory/412-5040-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5056-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5039-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5038-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5037-0x00007FFF66980000-0x00007FFF66990000-memory.dmp

Filesize
64KB

Download
memory/412-5036-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5059-0x00007FFFA87C0000-0x00007FFFA887D000-memory.dmp

Filesize
756KB

Download
memory/412-5043-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5044-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5034-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5033-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5032-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5031-0x00007FFFA9320000-0x00007FFFA9529000-memory.dmp

Filesize
2.0MB

Download
memory/412-5030-0x00007FFF693B0000-0x00007FFF693C0000-memory.dmp

Filesize
64KB

Download
memory/412-5029-0x00007FFF693B0000-0x00007FFF693C0000-memory.dmp

Filesize
64KB

Download
memory/412-5027-0x00007FFF693B0000-0x00007FFF693C0000-memory.dmp

Filesize
64KB

Download
memory/1388-5088-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1388-5073-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1924-5157-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1924-5166-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1980-4954-0x00000000021C0000-0x0000000002228000-memory.dmp

Filesize
416KB

Download
memory/1980-4946-0x00000000021C0000-0x0000000002228000-memory.dmp

Filesize
416KB

Download
memory/2748-5108-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2748-5101-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2900-5156-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3028-5199-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3148-4820-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/3148-4821-0x0000000006C80000-0x0000000006CE6000-memory.dmp

Filesize
408KB

Download
memory/3148-4832-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/3148-4822-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/3148-3769-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/3208-4910-0x0000000002AE0000-0x0000000002B48000-memory.dmp

Filesize
416KB

Download
memory/3208-4921-0x0000000002AE0000-0x0000000002B48000-memory.dmp

Filesize
416KB

Download
memory/3208-4918-0x0000000002AE0000-0x0000000002B48000-memory.dmp

Filesize
416KB

Download
memory/4604-5109-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4604-5119-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4612-1042-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/4612-1043-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/4612-1041-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/4612-3770-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/4612-1040-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/4612-1037-0x0000000000C50000-0x0000000000C8C000-memory.dmp

Filesize
240KB

Download
memory/4612-1038-0x0000000005780000-0x000000000581C000-memory.dmp

Filesize
624KB

Download
memory/4612-3768-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/4612-1039-0x0000000005DD0000-0x0000000006376000-memory.dmp

Filesize
5.6MB

Download
memory/4612-1044-0x0000000005A60000-0x0000000005AB6000-memory.dmp

Filesize
344KB

Download
memory/4612-4833-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/4684-202-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4684-221-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4756-5213-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4772-5089-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4772-5099-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5408-5193-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5408-5185-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5560-5083-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5896-5147-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5896-5134-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5904-5084-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5908-5128-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5908-5120-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5932-5203-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5932-5162-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5932-5176-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5932-5195-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6048-5129-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6048-5138-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6048-5184-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download