Analysis
-
max time kernel
457s -
max time network
484s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 16:28
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
Resource
win11-20240419-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
satan.exesatan.exeefku.exeefku.exesatan.exesatan.exexyigo.exexyigo.exesatan.exesatan.exeviwa.exeviwa.exesatan.exesatan.exeandu.exeandu.exeXyeta.exeXyeta.exeXyeta.exeXyeta.exeWinlockerVB6Blacksod.exeViraLock.exeAwEkgEAU.exeSgUAQMAU.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exepid process 3420 satan.exe 4504 satan.exe 1028 efku.exe 456 efku.exe 2064 satan.exe 4864 satan.exe 1268 xyigo.exe 3420 xyigo.exe 4816 satan.exe 4864 satan.exe 720 viwa.exe 4188 viwa.exe 1228 satan.exe 4296 satan.exe 3080 andu.exe 4476 andu.exe 1108 Xyeta.exe 5100 Xyeta.exe 412 Xyeta.exe 4340 Xyeta.exe 4980 WinlockerVB6Blacksod.exe 2604 ViraLock.exe 4232 AwEkgEAU.exe 764 SgUAQMAU.exe 2388 ViraLock.exe 4612 ViraLock.exe 1792 ViraLock.exe 816 ViraLock.exe 644 ViraLock.exe 1644 ViraLock.exe 1104 ViraLock.exe 5040 ViraLock.exe 888 ViraLock.exe 2488 ViraLock.exe 720 ViraLock.exe 2116 ViraLock.exe 3236 ViraLock.exe 1684 ViraLock.exe 716 ViraLock.exe 1436 ViraLock.exe 268 ViraLock.exe 3748 ViraLock.exe 632 ViraLock.exe 4860 ViraLock.exe 4916 ViraLock.exe 4472 ViraLock.exe 2468 ViraLock.exe 1684 ViraLock.exe 3548 ViraLock.exe 2232 ViraLock.exe 4712 ViraLock.exe 4816 ViraLock.exe 412 ViraLock.exe 4320 ViraLock.exe 3660 ViraLock.exe 4972 ViraLock.exe 1828 ViraLock.exe 2024 ViraLock.exe 4456 ViraLock.exe 1640 ViraLock.exe 3844 ViraLock.exe 2520 ViraLock.exe 4472 ViraLock.exe 1232 ViraLock.exe -
Loads dropped DLL 16 IoCs
Processes:
WinlockerVB6Blacksod.exeMsiExec.exeMsiExec.exepid process 4980 WinlockerVB6Blacksod.exe 4980 WinlockerVB6Blacksod.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 1344 MsiExec.exe 4844 MsiExec.exe 4980 WinlockerVB6Blacksod.exe 4844 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 989410.crdownload upx behavioral2/memory/1108-999-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1108-1001-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/5100-1004-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/412-1037-0x0000000000400000-0x000000000044F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
Explorer.EXEViraLock.exeSgUAQMAU.exeAwEkgEAU.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{5AFE6E6D-23D3-741B-5056-89006DF8340B} = "C:\\Users\\Admin\\AppData\\Roaming\\Yvwiaw\\efku.exe" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AwEkgEAU.exe = "C:\\Users\\Admin\\BEsgsAUM\\AwEkgEAU.exe" ViraLock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SgUAQMAU.exe = "C:\\ProgramData\\lYUUwkIo\\SgUAQMAU.exe" ViraLock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SgUAQMAU.exe = "C:\\ProgramData\\lYUUwkIo\\SgUAQMAU.exe" SgUAQMAU.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AwEkgEAU.exe = "C:\\Users\\Admin\\BEsgsAUM\\AwEkgEAU.exe" AwEkgEAU.exe -
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 148 4844 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WinlockerVB6Blacksod.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: WinlockerVB6Blacksod.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: WinlockerVB6Blacksod.exe File opened (read-only) \??\X: WinlockerVB6Blacksod.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: WinlockerVB6Blacksod.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: WinlockerVB6Blacksod.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: WinlockerVB6Blacksod.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: WinlockerVB6Blacksod.exe File opened (read-only) \??\E: WinlockerVB6Blacksod.exe File opened (read-only) \??\P: WinlockerVB6Blacksod.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: WinlockerVB6Blacksod.exe File opened (read-only) \??\Y: WinlockerVB6Blacksod.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: WinlockerVB6Blacksod.exe File opened (read-only) \??\I: WinlockerVB6Blacksod.exe File opened (read-only) \??\Q: WinlockerVB6Blacksod.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: WinlockerVB6Blacksod.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: WinlockerVB6Blacksod.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: WinlockerVB6Blacksod.exe File opened (read-only) \??\T: WinlockerVB6Blacksod.exe File opened (read-only) \??\Z: WinlockerVB6Blacksod.exe File opened (read-only) \??\O: WinlockerVB6Blacksod.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
Explorer.EXEefku.exeDllHost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exepid process 3448 Explorer.EXE 3448 Explorer.EXE 3448 Explorer.EXE 3448 Explorer.EXE 456 efku.exe 456 efku.exe 456 efku.exe 456 efku.exe 456 efku.exe 4056 DllHost.exe 4056 DllHost.exe 4056 DllHost.exe 4056 DllHost.exe 116 Conhost.exe 116 Conhost.exe 116 Conhost.exe 116 Conhost.exe 1360 Conhost.exe 1360 Conhost.exe 1360 Conhost.exe 1360 Conhost.exe 2360 Conhost.exe 2360 Conhost.exe 2360 Conhost.exe 2360 Conhost.exe 3732 Conhost.exe 3732 Conhost.exe 3732 Conhost.exe 3732 Conhost.exe 4932 Conhost.exe 4932 Conhost.exe 4932 Conhost.exe 4932 Conhost.exe 3788 Conhost.exe 3788 Conhost.exe 3788 Conhost.exe 3788 Conhost.exe 4976 Conhost.exe 4976 Conhost.exe 4976 Conhost.exe 4976 Conhost.exe 3732 Conhost.exe 3732 Conhost.exe 3732 Conhost.exe 3732 Conhost.exe 1104 Conhost.exe 1104 Conhost.exe 1104 Conhost.exe 1104 Conhost.exe 3352 Conhost.exe 3352 Conhost.exe 2340 Conhost.exe 3352 Conhost.exe 2340 Conhost.exe 2340 Conhost.exe 3352 Conhost.exe 2340 Conhost.exe 4608 4608 4608 4608 1328 Conhost.exe 1328 Conhost.exe 1328 Conhost.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
satan.exeefku.exesatan.exexyigo.exesatan.exeviwa.exesatan.exeandu.exedescription pid process target process PID 3420 set thread context of 4504 3420 satan.exe satan.exe PID 1028 set thread context of 456 1028 efku.exe efku.exe PID 2064 set thread context of 4864 2064 satan.exe satan.exe PID 1268 set thread context of 3420 1268 xyigo.exe xyigo.exe PID 4816 set thread context of 4864 4816 satan.exe satan.exe PID 720 set thread context of 4188 720 viwa.exe viwa.exe PID 1228 set thread context of 4296 1228 satan.exe satan.exe PID 3080 set thread context of 4476 3080 andu.exe andu.exe -
Drops file in Program Files directory 2 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav msiexec.exe File created C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe msiexec.exe -
Drops file in Windows directory 21 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI2A75.tmp msiexec.exe File created C:\Windows\Tasks\sys.job MsiExec.exe File opened for modification C:\Windows\Installer\MSI2968.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI29B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2A07.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2918.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606} msiexec.exe File opened for modification C:\Windows\Installer\MSI2AE5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2B73.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5d27de.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI284B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2C20.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2CDC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2948.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2A86.tmp msiexec.exe File created C:\Windows\Installer\e5d27de.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI28AA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2AA6.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4508 1108 WerFault.exe Xyeta.exe 784 5100 WerFault.exe Xyeta.exe 768 412 WerFault.exe Xyeta.exe 4728 4340 WerFault.exe Xyeta.exe 5788 6080 -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4952 vssadmin.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe -
Modifies registry class 64 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000889cbf0a2792da01f587b9509ca0da01f587b9509ca0da0114000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259} Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Explorer.EXE -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4180 reg.exe 2596 reg.exe 5808 3200 reg.exe 3236 reg.exe 2360 reg.exe 2664 reg.exe 4324 reg.exe 5376 300 reg.exe 3108 reg.exe 2428 reg.exe 3940 reg.exe 1148 reg.exe 2972 reg.exe 6036 reg.exe 5848 4056 reg.exe 888 reg.exe 3788 reg.exe 5556 3180 reg.exe 1640 5776 1508 reg.exe 1692 reg.exe 2032 reg.exe 5440 reg.exe 208 reg.exe 4492 268 5584 3100 2016 reg.exe 2980 reg.exe 5824 4028 4860 reg.exe 5720 reg.exe 5984 5184 5412 3140 reg.exe 1128 reg.exe 5136 reg.exe 5712 6068 1548 reg.exe 4808 reg.exe 5440 1848 reg.exe 5268 reg.exe 4464 5520 3024 reg.exe 3988 reg.exe 2900 reg.exe 3108 reg.exe 5864 3472 reg.exe 4264 reg.exe 5668 reg.exe 4352 reg.exe 1656 reg.exe -
NTFS ADS 9 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 124993.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 989410.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 444495.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 365590.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 280016.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 598467.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 785139.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 667395.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 721000.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
Explorer.EXEpid process 3448 Explorer.EXE 3448 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exesatan.exepid process 2352 msedge.exe 2352 msedge.exe 2252 msedge.exe 2252 msedge.exe 4784 identity_helper.exe 4784 identity_helper.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 1584 msedge.exe 1584 msedge.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe 3420 satan.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3448 Explorer.EXE -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
msedge.exepid process 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeExplorer.EXEdescription pid process Token: SeBackupPrivilege 3028 vssvc.exe Token: SeRestorePrivilege 3028 vssvc.exe Token: SeAuditPrivilege 3028 vssvc.exe Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
msedge.exepid process 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
Explorer.EXEConhost.exeConhost.exeConhost.exemsedge.exepid process 3448 Explorer.EXE 3448 Explorer.EXE 3448 Explorer.EXE 1104 Conhost.exe 3352 Conhost.exe 2340 Conhost.exe 2252 msedge.exe 3448 Explorer.EXE 3448 Explorer.EXE 3448 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
RuntimeBroker.exepid process 3668 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2252 wrote to memory of 1980 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1980 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 1464 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2352 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2352 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe PID 2252 wrote to memory of 2868 2252 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb8a0046f8,0x7ffb8a004708,0x7ffb8a0047183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3012 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5612 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6104 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Yvwiaw\efku.exe"C:\Users\Admin\AppData\Roaming\Yvwiaw\efku.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Yvwiaw\efku.exe"C:\Users\Admin\AppData\Roaming\Yvwiaw\efku.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_41a07d34.bat"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:83⤵
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Mial\xyigo.exe"C:\Users\Admin\AppData\Roaming\Mial\xyigo.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Mial\xyigo.exe"C:\Users\Admin\AppData\Roaming\Mial\xyigo.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_fcb57942.bat"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6420 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:83⤵
-
C:\Users\Admin\Downloads\Xyeta.exe"C:\Users\Admin\Downloads\Xyeta.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 4484⤵
- Program crash
-
C:\Users\Admin\Downloads\Xyeta.exe"C:\Users\Admin\Downloads\Xyeta.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 4164⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5904 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:83⤵
-
C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe"C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Downloads\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "4⤵
- Enumerates connected drives
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:83⤵
-
C:\Users\Admin\Downloads\ViraLock.exe"C:\Users\Admin\Downloads\ViraLock.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\BEsgsAUM\AwEkgEAU.exe"C:\Users\Admin\BEsgsAUM\AwEkgEAU.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\lYUUwkIo\SgUAQMAU.exe"C:\ProgramData\lYUUwkIo\SgUAQMAU.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"4⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"6⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"8⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"12⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"14⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"16⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock17⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"18⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock19⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"20⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock21⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"22⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"24⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"26⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock27⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"28⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"30⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock31⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"32⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"34⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"36⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"38⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"40⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV141⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"42⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"44⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"46⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"48⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"50⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"52⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"54⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"56⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"58⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock59⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"60⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"62⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"64⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"66⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock67⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"68⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock69⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"70⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock71⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"72⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock73⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"74⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock75⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"76⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock77⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"78⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock79⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"80⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock81⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"82⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock83⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"84⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock85⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"86⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock87⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"88⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock89⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"90⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock91⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"92⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock93⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"94⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock95⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"96⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock97⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"98⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock99⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"100⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock101⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"102⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock103⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"104⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock105⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"106⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock107⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"108⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock109⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"110⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"112⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock113⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"114⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"116⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock117⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"118⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock119⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"120⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock121⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"122⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock123⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"124⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock125⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"126⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock127⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"128⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock129⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"130⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock131⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"132⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock133⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"134⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock135⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"136⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock137⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"138⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock139⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"140⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock141⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"142⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1143⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock143⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"144⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock145⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"146⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock147⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"148⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock149⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"150⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock151⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"152⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1153⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock153⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"154⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock155⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"156⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock157⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"158⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock159⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"160⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1161⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock161⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"162⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock163⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"164⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock165⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"166⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock167⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"168⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock169⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"170⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1171⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock171⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"172⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock173⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"174⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock175⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"176⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock177⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"178⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock179⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"180⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock181⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"182⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock183⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"184⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock185⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"186⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock187⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"188⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock189⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"190⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock191⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"192⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock193⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"194⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock195⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"196⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock197⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"198⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock199⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"200⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock201⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"202⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock203⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"204⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock205⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"206⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock207⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"208⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock209⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"210⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock211⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"212⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock213⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"214⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock215⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"216⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock217⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"218⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock219⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"220⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock221⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"222⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1222⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1220⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2220⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f220⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyYMAooY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""220⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs221⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1218⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2218⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f218⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYkokcsc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""218⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs219⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1216⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2216⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f216⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYcMYocQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""216⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs217⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1214⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2214⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f214⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSYUgcMg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""214⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs215⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1212⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2212⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f212⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWYsQgsM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""212⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs213⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1210⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2210⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f210⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcYcAAoI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""210⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs211⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1208⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2208⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f208⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIwYcMgQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""208⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1209⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs209⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1206⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2206⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f206⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCIEAwwA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""206⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs207⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1204⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2204⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f204⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuEYMYYQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""204⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs205⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1202⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2202⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f202⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIsAIsks.bat" "C:\Users\Admin\Downloads\ViraLock.exe""202⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs203⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1200⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2200⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f200⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMogEUkw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""200⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs201⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1198⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2198⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f198⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEckcYAE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""198⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1199⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs199⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1196⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2196⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f196⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCwcEAwQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""196⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs197⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1194⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2194⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f194⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1195⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOYAgkAM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""194⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs195⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1192⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2192⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f192⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueMcgQQY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""192⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs193⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1190⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2190⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f190⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMUQgkwQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""190⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs191⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1188⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2188⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f188⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsgsAYUY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""188⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs189⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1186⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2186⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f186⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQoUwssI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""186⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs187⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1184⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2184⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f184⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsIwEMAs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""184⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs185⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1182⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1183⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2182⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f182⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCMsAswo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""182⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs183⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1180⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1181⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2180⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f180⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYUMssoU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""180⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs181⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1178⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1179⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2178⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f178⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScYEEYAc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""178⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs179⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1176⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2176⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f176⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AikkgQMg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""176⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs177⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1174⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1175⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2174⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1175⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f174⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsgUwkIo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""174⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs175⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1172⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2172⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f172⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqoEsIUk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""172⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs173⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1170⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2170⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1171⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f170⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSMYkkEs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""170⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs171⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1168⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2168⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f168⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYUMwAws.bat" "C:\Users\Admin\Downloads\ViraLock.exe""168⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs169⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1166⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2166⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f166⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1167⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKggsAwE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""166⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs167⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1164⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2164⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f164⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuwsYgkw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""164⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs165⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1162⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2162⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f162⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuQkUIkQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""162⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs163⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1160⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2160⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f160⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1161⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMYcQEMU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""160⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs161⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1158⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2158⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f158⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQoAYkQA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""158⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs159⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1156⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2156⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f156⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiYwQUAo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""156⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs157⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2154⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f154⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1155⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQsIMwoM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""154⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs155⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1152⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1153⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2152⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f152⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMkcIkUU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""152⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs153⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1150⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2150⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1151⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f150⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUQckwEQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""150⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1151⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs151⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1148⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2148⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f148⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkAMMQUQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""148⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs149⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1146⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2146⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1147⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f146⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCoIgYcs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""146⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1147⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs147⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1144⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2144⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f144⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1145⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQAososo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""144⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs145⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1142⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2142⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1143⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f142⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwooAgIU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""142⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs143⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1140⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1141⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2140⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1141⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f140⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwYkQMUw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""140⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs141⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1138⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1139⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2138⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f138⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCIokQgs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""138⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs139⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1136⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1137⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2136⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1137⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f136⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcEAIAQY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""136⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs137⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1134⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1135⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2134⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f134⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jykYsMoQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""134⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1135⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs135⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1132⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2132⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1133⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f132⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1133⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmcUIMgo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""132⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs133⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1130⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2130⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f130⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YowEUcgk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""130⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs131⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1128⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2128⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f128⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWcEQkww.bat" "C:\Users\Admin\Downloads\ViraLock.exe""128⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1129⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs129⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1126⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2126⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f126⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAEMoIUM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""126⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs127⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1124⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2124⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f124⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYMMYkwA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""124⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs125⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1122⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1123⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2122⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f122⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1123⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKUwEUIo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""122⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs123⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1120⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2120⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f120⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQoIUkkU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""120⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs121⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1118⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2118⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f118⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAYwYwUg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""118⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs119⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1116⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2116⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f116⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAIsocIk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""116⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs117⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1114⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2114⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f114⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqAYwYQo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""114⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs115⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1112⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2112⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f112⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOskoksI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""112⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs113⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1110⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2110⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f110⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jowYoQgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""110⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs111⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1108⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2108⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f108⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaYIkUEU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""108⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs109⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1106⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2106⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f106⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiYEkQIo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""106⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs107⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1104⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2104⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f104⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSMEcYQg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""104⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs105⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1102⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2102⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f102⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQQogkIw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""102⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs103⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1100⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2100⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f100⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEskQQEI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""100⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs101⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 198⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 298⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f98⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byUMIgAU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""98⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs99⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 196⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 296⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f96⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOUEEoIY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""96⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs97⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 194⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 294⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f94⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teUEMwgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""94⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs95⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 192⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 292⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f92⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOcgokIs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""92⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs93⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 190⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 290⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f90⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwMUMQQc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""90⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs91⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 188⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 288⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f88⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiYAsYAY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""88⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs89⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 186⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 286⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f86⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEIgAwQw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""86⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs87⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 184⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 284⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f84⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgQQgkEo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""84⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs85⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 182⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 282⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f82⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYgAMYMU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""82⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs83⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 180⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 280⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f80⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAwMcwQU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""80⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs81⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 178⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 278⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f78⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuAMQEcQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""78⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs79⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 176⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 276⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f76⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMAksMIw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""76⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs77⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 174⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 274⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f74⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zksYsYEQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""74⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs75⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 172⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 272⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f72⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsksUMQU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""72⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs73⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 170⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 270⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f70⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEYoEoAI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""70⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs71⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 168⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 268⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f68⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QykYEYYI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""68⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs69⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 166⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 266⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f66⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukMcogYg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""66⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs67⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 164⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 264⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f64⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsMIMEsI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""64⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs65⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 162⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 262⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f62⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAcIcYMQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""62⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs63⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 160⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 260⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f60⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeIMMEQk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""60⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs61⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 158⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 258⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f58⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMAkcwYc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""58⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs59⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 156⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 256⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f56⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeAUsccg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""56⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs57⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 254⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f54⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESEowAsk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""54⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs55⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 152⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 252⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f52⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwEMcgMs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""52⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs53⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIkYowwI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""50⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 148⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 248⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f48⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dikgEEEg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""48⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs49⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 146⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 246⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f46⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeIoAMoE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""46⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs47⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 144⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 244⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f44⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIkgEAcc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""44⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs45⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 142⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 242⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f42⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaEAgYQE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""42⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs43⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 140⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 240⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f40⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqUkIkMk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""40⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV141⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs41⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 138⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 238⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f38⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOkkUAkk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""38⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs39⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zigYkcww.bat" "C:\Users\Admin\Downloads\ViraLock.exe""36⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyEkUIMs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""34⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQwwwcws.bat" "C:\Users\Admin\Downloads\ViraLock.exe""32⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feokMogs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""30⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsIEQwQE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""28⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RysMoscc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""26⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIsYYEcw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""24⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiUAkkcE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""22⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUYIYAkg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""20⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIIMAcos.bat" "C:\Users\Admin\Downloads\ViraLock.exe""18⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAcYcAUo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""16⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsEIgYYE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""14⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsskUYUE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""12⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMswsQko.bat" "C:\Users\Admin\Downloads\ViraLock.exe""10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIgUckQU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""8⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAwswEYw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""6⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSwcgokQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5712 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6344 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18170905886551537729,699562002755808043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:83⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Wugat\viwa.exe"C:\Users\Admin\AppData\Roaming\Wugat\viwa.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Wugat\viwa.exe"C:\Users\Admin\AppData\Roaming\Wugat\viwa.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_f9e7deaf.bat"4⤵
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Awzoe\andu.exe"C:\Users\Admin\AppData\Roaming\Awzoe\andu.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Awzoe\andu.exe"C:\Users\Admin\AppData\Roaming\Awzoe\andu.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_2bb1b451.bat"4⤵
-
C:\Users\Admin\Downloads\Xyeta.exe"C:\Users\Admin\Downloads\Xyeta.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 4163⤵
- Program crash
-
C:\Users\Admin\Downloads\Xyeta.exe"C:\Users\Admin\Downloads\Xyeta.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 4323⤵
- Program crash
-
C:\Users\Admin\Downloads\ViraLock.exe"C:\Users\Admin\Downloads\ViraLock.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"3⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"5⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"7⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"9⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"11⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"13⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"15⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock16⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"17⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock18⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"19⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock20⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"21⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock22⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"23⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock24⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"25⤵
-
C:\Users\Admin\Downloads\ViraLock.exeC:\Users\Admin\Downloads\ViraLock26⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 125⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 225⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f25⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoMskcgo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""25⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs26⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 123⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 223⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f23⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeMscQkk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""23⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs24⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 121⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 221⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f21⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmIAAIgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""21⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs22⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 119⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 219⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f19⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcoMogYg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""19⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs20⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 117⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 217⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f17⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIQYAEQw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""17⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs18⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 115⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 215⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f15⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKQoUgUY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""15⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs16⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 113⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 213⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUYAAQQc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""13⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs14⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 111⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 211⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgYEcoAk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""11⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 19⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 29⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAowgYoU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""9⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs10⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcAsYUkM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""7⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs8⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWEMoEAA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""5⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMcYMQME.bat" "C:\Users\Admin\Downloads\ViraLock.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1108 -ip 11081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5100 -ip 51001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 412 -ip 4121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4340 -ip 43401⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9783F1EE344A7CD5BAD23837CD71CA2A2⤵
- Loads dropped DLL
- Blocklisted process makes network request
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9950111C02931E5A99CD0858E63512E9 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
6Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5d27e1.rbsFilesize
99KB
MD585c9c791e60962e161a28bdc62a65f7d
SHA1a48c036c31dd8e063fcd7c428983ec3c0d068a65
SHA256783426c9867c0a00a600f6d49e7af87977237ea1c31a447898b861936b468bd2
SHA5125c0afa0e4f8e54ce51231c64d755c847a980aec3a01f18ade28569a7055fcbd0f11a628751b9d9cfc7026b2c7a94da79677f77dc34b27938548a2b1fc3946629
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exeFilesize
320KB
MD5e49ea3071a551273b010366ade85d823
SHA1dd95a494a73e3a8cc9dc8376ba7592d5bd0dc2ab
SHA25671e9a1abceaea9df19e5edb658feb703ac5546d29002672d292cb43fe294ea41
SHA5124fbb857186cdb18a4c04047a405acaaeb8678fdc87e05050807766dd55ffbca23d2f4760781606202eea26325542655b7547907299b158d038855d983a6762e3
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exeFilesize
223KB
MD5b3c421baffd111236d3451e2a5633e6f
SHA158637848b551256b7876355131a659b87592edbc
SHA256172428b46b1f7637bcc7a64956b105b808a3f27e57349a0b4b32bf7c247c4b64
SHA51207e067a5fe9f6c5d3adf97e6d59948f11c255386656c309b6a1911092f918a73a55cb6bc2e08424361ea1c02fb5b06456bdd9718a2167b237cbd7bc695ba1aab
-
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exeFilesize
305KB
MD50d8a2e44b0ef8568eb64a7801c896ffc
SHA186c2cb3231422cbcfed9bf32690cb8dc6053f528
SHA256da335fc6ea8859805f63e18c8821fd888729fb920e3aa969fe9aa51305f406f9
SHA5122a3fc8bc79720ca5b50b939949dd86e1e6b3a42bcd9092e190cd3a4fd7efb91aedc0ef335569cec72e4899ad82f3d82535ae9c4f9bf9e8a23d1024404b839c6e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png.exeFilesize
198KB
MD53e457070eb7ebd0d65ad5fcd5be775b3
SHA1b5e1acadc6968a46d5a714efcd91e35231fd4be7
SHA256a5c243d423442a6fdcf5824842fd4bf8d5743b26e664ec82d0bda2d26a314332
SHA5129fff9183d82bd013773ee82d73f126772166722e42199577ee0bc8c8d178314b29d577d0c7b2e0f6c37520f7550bb03ddbcedd1c470949c1f0f0e0c340d5c297
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exeFilesize
206KB
MD5fbfc1e37fda2453857d1bb11d38af20e
SHA1dcb5e8c773ffc68d163419da3d892f2c19c18aae
SHA256ba1f3276ed0f8c5a9a1fa2a416fb02ad2ab481172e13b0e8c81f5c3c00c77a85
SHA51283c4e3eb7a1f5275244188133feca114f81e2af018472dbb073665148ed12bda3e8a390b512a7c731118989f903e832c6488284149a3b578b5f1f4872a57fdfa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b2290ca03b4ca5fe52d82550c7e7d69
SHA120583a7851a906444204ce8ba4fa51153e6cd494
SHA256f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2
SHA512704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5919c29d42fb6034fee2f5de14d573c63
SHA124a2e1042347b3853344157239bde3ed699047a8
SHA25617cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141
SHA512bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\11681c16-f859-4f42-9895-f2f022b491ff.tmpFilesize
6KB
MD5d923a2343714940a8a49fd1df6b01ba5
SHA1505d68670cf96eba1239a774c7203f164b9466b6
SHA2565923af7fd0c550b0e1a9d60d55696f1d65e429272797a985d530ff6dbc0de55e
SHA512a7c11bf37c896694d4caf5937facf0db37dfde553d6b5c9427ec80cdd49cbcb2099b314a532ab1a302c69146320c24438946f6781a90feab5418f2c7d85892d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5522daf72d79f371f3c5f8dc9be61e3bc
SHA12a0e693f5f432c3d3a61eeef11cd1b92919484e3
SHA25692f1bd6af8b3e66ddbb102eb38cd303c42022455673c0625afa04ea81ff83f49
SHA512fd6b9534c9e57888bc84ad77e5acde2ae4efe936ee0d173de621be58c8938fccb9b5936c3f03c3631ca834b2d8c710f1a3cd3a934f09b1c790fc8d9cb39a66fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
579B
MD52ebbd61422b78463e73114c90d111185
SHA196a2a4824b034c487ccfcc08f3d7defa75601565
SHA256164f96175f640e1c88954414f0d6bd4b866e8bc4004221585211df95aaeacaab
SHA512a707e87fa44ddc0f804778e849698b4b9b1a110342a9eb8abcc1a9178019d6424077d6293940adf1b3db80872e42fb70347fb927e7a6cadb2490381fb2f1b926
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
496B
MD568796d38dbdfcc782f0286de3168bbcf
SHA1ada79c4e910e246efc34ee3db45f22835f79efaa
SHA256df741a75f0d8edbecd876c56ace12df986d412827cf351c6cf1ce847470dcc2f
SHA512748834486f28756567c775eb84edafe82c2651c479765dfa896a6a7d611180355bada35d2d8881ec3484caea420fca176c2a510e3eae10babdb546a6b2f99c6f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD593b5ad1edd8e6775ba67128d48c18a49
SHA1850531ddc1f4845d289493c45e8a7b2b0e131f07
SHA256029245685aaa51702fdc7dbc013b174b8f48fcd61c647444bb162ce41eed3d0b
SHA5120d088b3bb5b934e23389d0ec501c9e9721a55a91fe9e3afdbdd1ad70869cac69b1f2c16e821d7909a18ee78fd28b07ce710a8e795d599421b7ae86fbeb5cc4a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b7926f0e781cd7d7a782d33276ba7db0
SHA1bc0d108b7311bc9dcb9ffe5a628d44a9032863b0
SHA2569cb187e1ce2e95e06c4c75bea9bc09158a2222efa9725ef9338c5608f323c641
SHA512a23fdf39c55517fbca726be403199c8aec71a5165530a4b1faa80871a3f814fcc0441605c584ce91a02ab1183c8ab4f43126bbaff77105c8b870492be5b6c0e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD556df0f917a929de4b3e9035ab9d9d26c
SHA16f71417df90b5f5b9e2ded1c0df1e05d84e86836
SHA25624489f1ac89a791cb29bbe8b68ffebf95f070dfbf6dff5b6abd7973a761eea4e
SHA512921c78b09427d51243a99f9a0a3d42c0aab3d624de02fa52f91f91f0e6787c167e4ff4da5377ea0763a887b835ad6bb00405a9b5249176a882abf332c26cfb17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e1d08077677e30bf5205977b678e0355
SHA12500901b8d2eadf87cb6d7573140f618cae019cf
SHA256b62cc76a0b6e9ce903abe8df3e245081c8358808a7ceb94ae928552ce6cc8028
SHA5122ab0b6e6931da3cab627f685efeaabe12447fb2cccf9e251217fef68663a94766d56a5333b89caac7b4009ae67421e6f23547be8fe1b8f9cd0fa694e165e6874
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53c2506ec7bcfc723d0cb0f975e3ea5f0
SHA10ff47d535725db75a3ef3beb58ced1a94b7e7bc4
SHA256e29d6c3c1b0da8aaad6d919d0225da3b3dde236ea1a92d1007acc8a25af011a5
SHA512fff474adc82df6f001499786510315a595d86e85b3ee487dfc555efe6ad18634620594ec30412a25a6b056810cbc393642d810d9a73a1bf738be81828dbdb1d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54c3a4bee0831802dd503ac110e5a4ab4
SHA16e404239cdb4bf6e186187596c706e2a3090d5f7
SHA256598ee2716017995fff7564d6b37886a885fb0eeca4def80eac75319c19912365
SHA51234ecafb6254083b2ec1d70e1984bb0219f35a7ab231710a6db16abac1f8a644f39bbf80789ae1be1b79605ac7cc7f6dd732f528772ae1dc3a8f8f41630aef88a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e83116ef61f9438067e7d8c31c92bd0f
SHA1795fd772a8da097e1f8c10c2d066c200cba57b2d
SHA25629883003d3b9818030fe41c67815167d9dec90b337bc02337bbf6426b11586eb
SHA512f84dc7372a496ec7d57bdf5256715c281c2f72956b38ea12bb6e75a140a6f2d6a2e2e5a817f47dd5aa609458969ca0d8c6bb551633f044325c0edaf56ff717e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5362f999aeef3140307790aab6ade86e1
SHA1aaca0b878b69176e2f4fb7f1ec71391b05aae9e3
SHA256e0db44ae3715b43b4082ee755062ce8b3427154499f500b66759437249c1fa23
SHA512202868b804957388d24dfe5af2fd93c0fc09c13fec1917f8c559af2026d606e7b577cecba984cf3f0f389bce27a78c2ce349068f31b76c6cb891245a91443146
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5851b4f7e37e90f9f8c91a57dd79929c1
SHA1e9db57537a19bfb1277a06e81b6e46a181a5c8f1
SHA2569d7ac5f587ddac4121618069551964f922c87b93e2845c9057e14dd3408db8ab
SHA51292e11827b83ea9763ca6f110fa09442b9893888f893f5db3ae645f1d7d1b0dc89fe390f8a54b1522603f0bd14cad5f8766f7af7c3c26cd2434094d0e267f362d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5b0c85822545ed69f606458c9343613b2
SHA1906e66acf24eb4178fd6d0340c8d308c25736e6a
SHA2560948d54b84c3e197f4ec6641d34abb133cebab5d6f72f4c46f2db64384340aff
SHA512405714a3b9bbd39af5ceafa7a7d298bbc65d8f34fdf7e527ca44b11a79e6e67e403e1b93187da8a369a5b0beb6ffda19751028b5ee27875bb89288dcc722b697
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5d5ea8b1461e826de75064411745fcd32
SHA1de27ec1367960e08c93e76dacec7b2affbaa9d9d
SHA256eb659d5d7893d86479a2b201ea729f90bcf11343436ed1b47037607e838f2af0
SHA512172892a6fafb23d22902b81ccaf83b673b2973f8ec6d88fcde42fdf391275d7e9bf12343cc068696a4297c605c43148b5d7634193249d9937e929b9b5c52b48e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5bd03c108b14e11e8c0a9979f38c77002
SHA149516355fcce782b3bae471320afc22b3e4437b5
SHA256415706e032573b6f2b1cc7da908efc0f36b28727194a89418ccbb2062624ec03
SHA512feedb1da2804bf1439195821f91c9169c4d2681d9e972a57e88c53f634f88b2c3d8279d7834de267167611682e8ed8cdb9fa8fabd3abaad34c41046ecc81dde2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b4f74.TMPFilesize
874B
MD5a51ed375e5e7365b64947647a7cbb498
SHA17275019de9569bfce80248b4c008a66c04a68235
SHA256f90b8f477ef005429a37c2946738297ea3c13006fd036b75590e0d0e4a927527
SHA512f0602ed59275de1241391bca3250ac5e6acee365378212f6510c7d908dcf5069ef5b5f6936084dd022224487b765c8a3233b91031c18230e61c7c0a5e4485ffa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b7be0cd1-cb19-4c35-8a8c-e22309260d9b.tmpFilesize
1KB
MD546c435c461b54fb9f6b1d635d80b9441
SHA119e254fbae79fbefa130e6d7650db3fa20260058
SHA2562750c1d632cb64e2c176cdf7f4ba32efc47d7ef94d5ac14399c26c3208b2aa09
SHA5123df157f4c48d7ef7201f7f9d7e436e1c911ed941abf59eb3c8cdc0c692e6d7f1835aef81a194f5aedd90a4fa15f86b02c244aba0b834944368ce818ee7a68fe3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e94a2867f42c8bb4f8dae28d28175bd8
SHA1f1e967ed48b0b1937c6c4cdf3343bf9fffd04fb2
SHA256d610c22d101452e99cb6ee706ae1502ecd359e8a43ed3e9cf51ae65f938915bc
SHA51272dbb7abb0c4705f1d16abd0f4324dbfbf7a5ea9dec62a5c93c50a356cb8be6fe2ee34b2b03dd6b01b13698aa30fd1ea71ada6d89a426b75bc196517eeff637c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5803f920230c9b5b0b0d977d3ed8f8be8
SHA176d99f9458409ce2bb92df2822c800e1eccfc600
SHA256580ee4c63301d4df5ba682aab94eaedf5a33a5461d9b898839355744fa10c73d
SHA5121948bea9a8b40efe5e2f3176c7e90fb052472bb3b43e70316dc3588e3c62ca55d2040e611afe10cddc390b39f2aef3d648b6a6d968ba72b69c4abd84128a811f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5dae0d5849dceadc9cff12c86726f4a57
SHA128439866343886e8221150958ab264dc07c4eff3
SHA2562487416b9b0669824c7591f90ead24069387b8864a64b573c4ecf565a8c6ccfd
SHA512e3a15f30e2bda2ef75d980704ef8be3e4963d5f8394aa2aad04cacb4ad24ede3e17be5cdfcb9121e91bed5ca18a5691aa93437eb1f18ccb44488db385f8febd2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5ab730702144c3139547c0dea2088be97
SHA12c0bdbb003eb93ca6404374ce90368ac303a9d9e
SHA2562191e5733c5fe6ea708a230871375bf3ff26e16505b7e0ceb3e2a813405f9e67
SHA5120a611ecb083b1166483ba1776469929e8a03de35f975364cec43a061eff1ec50b178a9c97acbeb951749236eb54b10fb0a2a137c44ee84ae666f65c3c28bbf23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5be76e5073e1d1a5f5f9bc115f70b531a
SHA1ec379e6f21d0c4bf7977ea71dc07e2206d1d66de
SHA2560cbfa256914eb3a341a671c44571ab389867df72cff0e32f9aa35e200cd874ce
SHA512d7eab8942bbe18d2e0cd7a9373a8d0ccdb244b0a8048c02b91164d93f1383358d73cf19c32b6cf9587f958e94112de2a92f5131659bdb664b0d22d34a8cedce5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5b53f55d42840e18b9c68ea3fd200fa86
SHA13a611edeadfb69bc3723a28ac4145ec8cf29df97
SHA25638132add931f85ae7d74032278965d7f18ed62b7d6572d4d3d4041e90b6bfe38
SHA5124dae6a251ae6ce1e492297b2b5d5dd6ec6744f83d3483202c5802e02d09caf839bbbb7eb06ef339fc3f480a9cb3eaf439f4aed475b605810865a5e7da4079bdc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5c383886a5da0a1fe608ea04407f01363
SHA18332c414a162fa2234665eced0d866d7d00ba23e
SHA256db396e14c7654bab0ced663e606a434b59239a48d29cde49bf80ee097f7dd55d
SHA51278d791deca77deff62b41357b4fdb6c8ad00196b851ce4e80184d60620eb1ac4bbdb6c07d80b7cd661598d3a37fba71f3f0c2f30e8a43d94cf374ce2ee83a217
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exeFilesize
196KB
MD5648533d39c09f7c0709bd576cc732b8e
SHA1206c30b554027dd412076a5038024060e0fccb62
SHA256ec2b90e715a06443600e4217e10ecdf0c6a18c77312923b89a8462ce2840de8e
SHA5120114e1021b8099b3a171cab47c5897293a47dc5f8982836815fa14a620ec68b5a923c796f42f570b3e9ed79d8575e86f0b8d09c4fd9b23ae958cb33a69bcd219
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exeFilesize
210KB
MD580dc9cd645153a2da0f720ceae9d12b4
SHA107ef0d41cac044e896fee829606611d9e516e5f3
SHA256d8d28d520d5dca117be99dda17c5542c7d85bff83a98e2b3dec8a2613a059809
SHA512a4d15a1878118191ea10643af5e00ba5f3942089a70bd04649cb98a687700c58cb2adf2d413632b00e79d91bc47c5212180d9c21c33dceeb03d95732838f119f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exeFilesize
193KB
MD5cc1e5f86de223277179d6ce899f5e110
SHA15e51e1dd1a8fa6346a5d94d830fe7b33108ac5f5
SHA2564e3e0017384c1f6663d16360a130a3d946d4d09837c5da970d7c7d2bc595d4e5
SHA51296df8fa8ddfb062a54ca28e42a0bf826f475bece7805658bede140c1b2435923e105e09026d077cc970f1783d0abe6ab653b561aa8262745d21f422e78a10afb
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exeFilesize
197KB
MD55c7b710392a9cae9e80736d9cf4398d1
SHA16711ff5c9b3aa1950f70016457ab4e2275a98c3f
SHA2566f6fafae9463fcd28e1e465603565654498c342bb3426ac899c62bf86c655b58
SHA51279c9cb9697df35c829fe702f470079a86c45378333369e042ae73ac482a02a5f96acf311d665ae23f01c842a3709e661d8b59b716fe915f86c3760fa3e8e4834
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.iniFilesize
84B
MD5072ab660696a708932f7d83e0f5d3f92
SHA13e7030f18f477706da2f62a8068a67498a10e396
SHA256b68d1292be61518631f0bd520119d94502c667056b8ecb3319f91a723c4efa17
SHA512ec3735f6b0142c85e88ceb62a03f937a9b9d82e50dbe89231dd11c4542441f5c7ed036a71abbb8ded2412903a7154ec01940568d9175e6f9bf75acc5f307942c
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.iniFilesize
84B
MD54b643f48cc18289f402938b6388a8da1
SHA1e9221628a777df36e1109d134c90732a6ce27a34
SHA2562a28aba58c45bb21959acd55ff5d3a566ee83f94474a281efb06b429f29398e1
SHA512bb80868f725fa92826a25b20fa36ed57e5cfeca41bec7f1820479feeec8de156961b797e71ddd21312bcc8483914721bdf6f3bd8275a36712d3bf6bd019181b2
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{40168110-2B86-4B81-B99A-BB76C44D425F}.sessionFilesize
4KB
MD5bd42b81067b930bf32d4d825587a5808
SHA1529391d2e898db67b32b15492358d99467c970fb
SHA256b7e049d8b7bdbd6923390ecd1eeabb8f5e32c16f3dd6cd101479f80a0c4a165d
SHA51224bba2be038a15439c3122ce1957b9fbe94e966d5ed6d8e5a0d5ec50bb41abdd749abc187944a3096610a244c8efa9b400f71b31f64f57784cbbf757cd1741a9
-
C:\Users\Admin\AppData\Local\Temp\aIgUckQU.batFilesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
C:\Users\Admin\AppData\Local\Temp\file.vbsFilesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
C:\Users\Admin\AppData\Local\Temp\tmp_2bb1b451.batFilesize
172B
MD5378c636ff05dd5820df7ae25e68487ea
SHA1af7825120a27e96477984eab3dcd4b1a8041969b
SHA256f2936dbd19ad18c46019ad5833899a46923f13f941ef566f9735359a3006378c
SHA51268b3eafc2001753bfb29e9415220a7d3c5d54a701faa27ade5bf53136ef3883956c3c183f8451dee9dad3d8cbe6271ea3a005762681e7b344f0746beb876ecd0
-
C:\Users\Admin\AppData\Local\Temp\tmp_41a07d34.batFilesize
172B
MD56f812a1b86bba617c87938391eabd0d7
SHA1aca0070981c4af7977124d30762e404b841ecfec
SHA2562b4079c258e2817371f41fde3f28ad451fec1c0acfed96eb5adf031bee21bf49
SHA512afdad7f28e15a2d132e473faad106a3906f26178bed47059c5a4521c9af12acbb33980c2670f40c80d98265f041c30c20af2e96c7a3b84402a08f86b6a5a5171
-
C:\Users\Admin\AppData\Local\Temp\tmp_f9e7deaf.batFilesize
172B
MD5bd836c4a5e5a67634d5d086e0bdc0a7a
SHA1655811d429cf1c9ae93152f3bdf58fc20d5974f7
SHA25651716fcf558cdc84f849abec55f6311bef0c420a9bd8f9bb32ca9fd4601ba75e
SHA5126fbb326807fa537d119b7fa9e56381635ff0cb4490ad90c0b6b18c7b55bc6c2c115090e89593517e12306e6ccaab92810ae08830c28134f811b61cf7a17e29e6
-
C:\Users\Admin\AppData\Local\Temp\tmp_fcb57942.batFilesize
172B
MD59b759394cc18762fe8cc51e5e8d9abfb
SHA1bc5cfad28aaa96181179e059a54da63c8c428c03
SHA256816f17e2939e3afa0e067c8aeaaa5e01c777fb77dc182acc9086deaeb4988cb6
SHA512800009dbfbfed989491c48d5c336396ffa305d93c4b51850445903645f814a42e0ac521b8dfb119338c53bcc43789e45acc085ad6f29923e9cc443c2c9948917
-
C:\Users\Admin\AppData\Roaming\Awzoe\andu.exeFilesize
67KB
MD5457a25b74a4c2568d794ac14fb121244
SHA1915cdf44b4a4f6a79c881b63e0ae28a88adafe35
SHA256cf45f080697fe74ef6bff99f2ef9aef8eca14e3bd6886850f76564253d1bed40
SHA5126d34a02ee74598cbf48bdd84b190a01a0b546ece64661f407bfbb2b203d5f38170b14e81c574f3719710f15f1f9aac10edf8fdea65a73a1c3797d63f6135189e
-
C:\Users\Admin\AppData\Roaming\Mial\xyigo.exeFilesize
67KB
MD5c8efaa6feb0bcdacdd8ecb335ead650c
SHA1178d74ab6ce5529c4aac3cd2051a7e9dce56ebd2
SHA2565d333636cb2414d6432396b073b2b026904f50b230be8fb8d8a80b62a4fc14c1
SHA512551fccfc1e58c8ed2788fda17c442cd4c18cdfbf0ed8d55a0b5d0e7630990031b1c1c01e8a98bac526ef4bf907c8e2a44860423d3c2407d0f579f60ad03e0920
-
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msiFilesize
1010KB
MD527bc9540828c59e1ca1997cf04f6c467
SHA1bfa6d1ce9d4df8beba2bedf59f86a698de0215f3
SHA25605c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a
SHA512a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848
-
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dllFilesize
126KB
MD53531cf7755b16d38d5e9e3c43280e7d2
SHA119981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA25676133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA5127b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd
-
C:\Users\Admin\AppData\Roaming\Wugat\viwa.exeFilesize
67KB
MD543ed5e98d14506027995f861648ed904
SHA1188dccd85de2bd6f16cd54b4423fe08601cc48cc
SHA256e49d36a9cf6278acb39f770e3e1dfd400d3c237de411c3380c917a6a584d5976
SHA5123cc760e4e0ad35708c7d49c01dcd480a92f1b42948dda7d351979ced83901c96fd41f270bc0bb5a13f0614d3e0ace46c814d7c184f5c32e071171932e0318526
-
C:\Users\Admin\AppData\Roaming\Yvwiaw\efku.exeFilesize
67KB
MD59b2151759f91ffe123ab5f512e225766
SHA10b1fc3572449f960218d98f230674bc73cc32783
SHA256ddca16a2adbb2e0894e37f3016cf97e79364ebc7b7e27e5e5046b4980c9005b1
SHA5125ce61ff7e9eee94a579d6580849e4a5f0458341f0861153c993c24793eb6481ef5553a94923e70f05acb88a705a24ea4d0e9d0d4d6c3384d00f60c1555ef8e19
-
C:\Users\Admin\Downloads\AAQi.exeFilesize
203KB
MD5f17de37a60d8c5249d28e3545dd8aca7
SHA1832d56b648eb9468fa8c5f775e72bbc6e81b62eb
SHA25657c0fa2adbe010942b25cd1067f3f01f88ffae69844aaa17a4017a87e0cfe57a
SHA51288c179efe7011f34df76594d7ccc034579f311a451bb8cebc9369d653d38a9b583f4dae6cd122ca09c357ef1ff477abe41078edf53769215e385b0f2c74c66c8
-
C:\Users\Admin\Downloads\AMAu.exeFilesize
204KB
MD5de75c9aec575fce1f0df237b48a1982c
SHA1924b76d38f965693f3fc064d2961273676b2269d
SHA256343d089d3366e030a119232e9fcac2ee6b92b54cc8c6d432b8e0c037b13747c6
SHA51295f660984b3581fcbf78f1ab72f689884233c5bfd57f6dca001f6be5d6a6f3dd45a746c1042febb5e8004088f61988d7c6f82505296c8df84ca6f982dfe9b55b
-
C:\Users\Admin\Downloads\CAQM.exeFilesize
269KB
MD599da581e44b2958ae4227aeb0494822a
SHA147ecbc3eef4f8994e08b23020ec6b8ff97d3e08c
SHA256aa9b6cdc1671f61eb323eb524e59a652274622e3cfc0cb5a8fefa69158fa3abc
SHA512c0756ec3512313ce8b2b76adca4eaa2040c7721a4b1bfd3b088f2c9399b3660572ab9a18c8d7306196bcbc030ce3c749cdac88c468c265d471c8f2cf76094a17
-
C:\Users\Admin\Downloads\CMAI.exeFilesize
194KB
MD5026455ee89da8af9a8c09286aa88802a
SHA12b2e8f71d12700e71ddb3b121f0ba4cf902ad768
SHA2560191d830b4cb0fe589494752b85cfba679e80873576a1bfe14e446ecc2dc967e
SHA512fe8e91157cab0efa19dc79dd760b88e6e1389954f14b5f9a4c76b76c886742fa8feaeb4dbf1edb387bfd3b20489fc3b9559974113e7dc36998d6fc518cfe1d27
-
C:\Users\Admin\Downloads\CUsU.exeFilesize
243KB
MD564bcc3f9493deab9933d1af0e260498c
SHA18a641c71510898a2e98aaeeecb49c2ea7300611f
SHA2565ba1fd07bafe03116722be4b2808d778f86eac3c0a305cb3478017eb36d79188
SHA512b7ab75ad0c0eca34e714ec44777385303b2cec59cc333a702619f9658ec8f6a7c529e7ab690191dfe30978faac8a99ebde1d6365d3d9f0a593f23044111b9b11
-
C:\Users\Admin\Downloads\CgAw.exeFilesize
249KB
MD5ad9aa2be3a4d44fdd29349e4049bf5d8
SHA15869629d147f5be4f020c25809a422044e32faa0
SHA256bb7b269dd6c00395f08bff0240c0892e240b710d46a3d5c3bd665d7630858d03
SHA51214abea0f1f8e0e69a07a55e28c76ac4d15ea80f426f0ab661f326d840a87450afe3af5c2f7108b0fc6994773e13cf31de934544a3ccfdf4204b04b3347f7b873
-
C:\Users\Admin\Downloads\CkAY.exeFilesize
313KB
MD56ba9cbc31cd65f9b8ddff6d3c9907ab6
SHA1af8975f03e68515f1cc13ba48caf87097bfc0084
SHA256da1b14f2a97743f948f5f183632947a06bc44dd4ae31f4bea4cd834cba0e0c4f
SHA512b80a4e40ddcd19a56d0f50a79faaf3dc284bc71f251bf664b6aa2fabcf3bea26f1ca69618da5d44a957e0192aea6baeb7ef351bc686cf324e0f87107d9404982
-
C:\Users\Admin\Downloads\Ckku.exeFilesize
183KB
MD52a4f70ed51906641d5dc1d74b9c6b381
SHA1db963120f74da38415dbaa9a1fcebe6066891e70
SHA25665c30861a236d186e7b44a383bd126d91ccf5b7bef7c523c9a83eee7f2ee5eed
SHA512775895e93b777203026dcbc6c07de237adb4bd220fa0bad5b3ed8fad4ee2ff805804d1ce3c7179109687a69f077470e2728de8869192e2083a318c6293637fbd
-
C:\Users\Admin\Downloads\CsUQ.exeFilesize
563KB
MD5ef0350a40436e67bba0501b55b7380ec
SHA165e4c8ae84adf6f302f110a399a69f89fcfbe6fd
SHA256c2c0e11f5903195a8be612b5362449d49a9051fdeb5bb0611ea9bea9a093e8f5
SHA5128093b363d04c611057ba8a07f451096aec2b560f194cf682ad50a620de72390335b29a4b41caba515a67032e1cc4076094e2e8361a5f4ad712a6d799485a4454
-
C:\Users\Admin\Downloads\Cwsq.exeFilesize
235KB
MD55c1c2c13bf8dc99e741c4cace481da7f
SHA1d2004022b70ff0c644b456a6c5d7e35b38aa3540
SHA2562f3a193955b7a6c464a0f79fc2e5792e806f67c84e805dc4aff1aabeb8d4f518
SHA51275dd01b9d44bdcd1121f58ea7032fa0195bef8e9ad6beb7fcb000aedcad80456b565a3b2d706ec29780864f07f52b8af392563941a8bda95f6ca17fa6496a5ec
-
C:\Users\Admin\Downloads\EEAU.exeFilesize
187KB
MD53dee186fb9a1dfbca083d98dbc9ac745
SHA1700dc784186e19957577833fa81a31a5e9aaf730
SHA25677064e948f9fb211dd9ecd1e4c379eee688fc0fb4d59be1ab017e8fea866f7c6
SHA5129b278d4bbf08e6740349cdaf1cdf46261968e41acfb3618b8347f2f474e37eb1f56a61011e9069bd7cf4bd02fc95932b0f240f37b29e0b9b1a3817ae444b746d
-
C:\Users\Admin\Downloads\EksS.exeFilesize
206KB
MD577eb2250b4dce2dc2fb7e0bdab97773e
SHA1d9ae6ffb12d28009816391ef874f5e57bebe3efa
SHA2567eb1a75605ce7b5396a80690d68be866fbeaa969b662a1a1344d79bdaab2ebe2
SHA512f2c05ef3a84d5d7b4763265e99245b0f270b9c5d20ee5a982b7a2fa4f6a17c7090831984cc1fcea89c2e2347e25ed14cf83b2c26583a9c909f6de0d1dec8f67f
-
C:\Users\Admin\Downloads\Eswo.exeFilesize
211KB
MD53d567d2346dff4c446fd5b1456101eaa
SHA1d2b8ba2cf53bd45a6a2375eb1572d35fa6cb2507
SHA256ef4cc4d6b55024fb1995fa0a32d384f1b089eaae4f49b854a368863e2d66b82a
SHA512b56fcebeef59ed67fbdadc661dc2b1e98be902af3ddd7611ace05732f9d6036cc2e7c46fb8b8b256be1e42ca4b7d19239f9d51a8a30bcce6ebed4bf621c31ac2
-
C:\Users\Admin\Downloads\GAUm.exeFilesize
196KB
MD54be9e53022ffcf7d34e87e80feaada8b
SHA1738b3362ebfdef55e39cd92cca0cdf75d3f36e0a
SHA256276aadca6b857f50a5dd99ddc6093a1e55164bef3c8a62f3b5f328c1fa969b71
SHA5127eca12be4417160014b166a8ba660895aea02952b2f5e3fc898ed85de5b32f495f6189ca892927d44e56510f7bbe51543863761aa348892d298d8aa1cad50917
-
C:\Users\Admin\Downloads\GMUu.exeFilesize
419KB
MD506b1e3fbff833ef0ac7b79fa30b5029b
SHA1cda5fb1cb1a4a3ca96825fc29d331adf54078a22
SHA25623ed28ac76e25f52332d125edebbbd60e0bfeb4523d6f5d07cfe9c7c2ed22bd5
SHA512739d1286923a9126591f9937df1d514f5f48e0cc1d78aa3a298ea2a2d1beff56e37d650f98b5e1e159c245b29443c03a19acf06025618046c91a43f0ff8a6209
-
C:\Users\Admin\Downloads\GQYI.exeFilesize
191KB
MD5c94b5319b95af0825bddd220809f7be9
SHA1d9f09feb199309a5db2dafbac0458c63d72c8b49
SHA2564146688b493bf805cdeb339f72a902465a0058c208276ef470acf6ab10685ccd
SHA512810962f666016a8c126209ac9b992f5c5b831f32d7fbb0b645644d2690632a2c0887a794f577ec2116f2204bd4c6c790d2f6dced72bbe696040ebb0bfac252c0
-
C:\Users\Admin\Downloads\Ggso.exeFilesize
748KB
MD57eeef15e9d663ec6864479033316cd03
SHA104cfd8dc3cdda324c23d723cc5ac1b6e6378b2c9
SHA256afc5564e5fa2266668d71b0bc1cd251f2a7a9602e1ae1f537c0104a3ef85f595
SHA5123f0c0c4d2442485b65c306cda919c44e537ba51618488170a0b0a1e9a8101a1d0449848ef4043af93be24dcf33b792bd0d494a6d078ec50f46bc64aa87c1fa86
-
C:\Users\Admin\Downloads\IggG.exeFilesize
347KB
MD52305320a5d731d64e123b2fd7b951450
SHA12d3b126f9cf0c95eae1ba31a5e76167d9e826514
SHA256a76a15d75e8db5b4a30e8315c1ed63fbbe4fbd946c34ed8a9acae2e7370e5126
SHA51266a4bf030df9a552f46b8a19827cbcdb9f4785278a0d0309ef6d03f2e95e1a8b58f8cf4869acd67e9f44008d632b4d7953f3cc43c834762570f03ca7270e1ba7
-
C:\Users\Admin\Downloads\Igwu.exeFilesize
199KB
MD5ead52db2232c32086a0c3410755d9394
SHA15df4c1d274177f90b31af77e3ff98e5e52ffccda
SHA25636c62cf2677929551afc1eeb2c778e04a82b75da09a7e00b7ae870f0b44b09f2
SHA512506be18b07e968d466fac29cc83bb2e5a8de37991d74f200298eacc467d01ef1984841bc404bfe333af06b8dce32b29469fbf54773ee53d5640c04f21b29ebcf
-
C:\Users\Admin\Downloads\IsQs.exeFilesize
189KB
MD5947becb262a893d9cac67d98d61c64cb
SHA1f97e0ae9f52a1fef70cc2678246d2de0263dd226
SHA25606e1a7c6ac30dafe785685f279883a04d93838f05f60a9e661c409469dda3914
SHA512742c9a8b14cba0a1f981ecb5f8e758bb77c8fcb33d207759153ad987a50169380859e5a190b1d84546037cc860f200fa1c4fe137e9651192cdee3117dca15997
-
C:\Users\Admin\Downloads\KMIe.exeFilesize
609KB
MD5b202eff7afcb62f6dbd2eeda372c3405
SHA1cadaea0c1025dc1466bb3dacd28a5840b39cd09e
SHA25691895df6789fc3a196d0cd2fb3b76b3023f843c17eb7629806c8c4f1e8c59a9b
SHA512d6eeb9037977cc2df1a5cc05521ce87b5f61a9d2097cc50d6a9252177c4cef3149dceed089723af07dabf4c3ea0c50159856358a541616bcd6d42bc927d7230f
-
C:\Users\Admin\Downloads\KYgg.icoFilesize
4KB
MD5ee421bd295eb1a0d8c54f8586ccb18fa
SHA1bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA25657e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897
-
C:\Users\Admin\Downloads\MUUU.exeFilesize
826KB
MD5ea08e28a76bfbccbe0d49da674b586a6
SHA11beff1935d895c519d2aa8fce2791a2477d0b701
SHA256d8f882d8b868a25a496ac8c924591a4456f2cec5f417bc14f12bc43eea5936c0
SHA5121acf939b40e4a78396b0e0e3b26663a9360ea15379bb0209d6683bd5d78d56799159d5a0da23b826445412b9848f607057707918e2e661a0991703befe85ad8e
-
C:\Users\Admin\Downloads\MUYq.exeFilesize
5.9MB
MD556c7df9d6bf8d299c8281b66587778ab
SHA138a1e9860d1d19078285695a0429ef8dbc49c7f9
SHA256b8389b224f92a5fd84d865a46e638c42a9249e4ca54f3063c77b98eadb794151
SHA5129709851efca03240a3a831f24489060d9d8bc7979cc87cc4bad6fdbac8a5ac504d8e1733fcd3d0d1d3003133fe36d4b84d93531cdb987d400ece9cea8cf6d672
-
C:\Users\Admin\Downloads\MYEu.exeFilesize
832KB
MD5fbb61742b9b48813d9c511addf51d9d2
SHA199ca6a3bd72f3d6b2fd7d28e0ed99b4070432f08
SHA25627876e6657f38ca97c3719aabbc79722f0d734ace35e413c1947236495979450
SHA51209f59dba35d64b453c47d7cef9049c05171db067ff252260426279da631db05c1af5129878ee3e7d14817c73d785c73aba9b7b69198aba89ff54c4a6dacdc130
-
C:\Users\Admin\Downloads\MkIW.exeFilesize
228KB
MD5d10541e338e1c99cf594bb50d95d70b7
SHA1324ed611e4402c65bdd6d32e59065c468f489bc5
SHA256bbc94bd95eb27c93883efd9dd4aded4c4078a5ed21fae05667bd8242cea8a670
SHA512f33bac1ac46c4cf34e011bf98899e10bcd1025fc51558ea7ed4ff6e5906688dea8148c2977ef97fca7b4da36c1ffbfca5cd2500d1441ed80cc10d0959315d6b2
-
C:\Users\Admin\Downloads\MkgC.exeFilesize
630KB
MD5889eaca5173ca89c487ecb7bc4283465
SHA16e59b1771ce05a318ff1df7a09fc214c51ec58b0
SHA2564f86d3324f894d89e5757994e51d7cd77e0bfe1a39884ae4b5208c92d69b1b1f
SHA512fcd77f1e45a1f418ae2284ef90b0ff1a67028157a494489d9e961c44e287f12e5eda862e601e0f7025f5adf3ab9461953d00e0579378fc8da1eae1a712a2baa2
-
C:\Users\Admin\Downloads\Mkgm.icoFilesize
4KB
MD5383646cca62e4fe9e6ab638e6dea9b9e
SHA1b91b3cbb9bcf486bb7dc28dc89301464659bb95b
SHA2569a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5
SHA51203b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5
-
C:\Users\Admin\Downloads\OYgS.exeFilesize
187KB
MD54ecc586b5894988cd757af38576dea5e
SHA19d4488a057af69051c6ef23f48cd86a4bd8fe133
SHA256aa6fd42d7919334cc9ba768a1652971a9357f6bb90e505b6b5dc6b6ca5054b38
SHA512e55578672e363a2534c9ecbf983e5db349f7e0423d7b24cfde08c243d43b764d7ba56d653b7a71f6586f57ba7c4612aefb8c1ba27f02012843bf73eb81a0f5a5
-
C:\Users\Admin\Downloads\OgcW.exeFilesize
638KB
MD5cf928a258c8e1d78a7dcbbde62321ba5
SHA15a126588ff4fb81085acfdadcf27bbf7371803c9
SHA256b4e81f072e28fd47f30c4aedf7da4f12d3f23740f38c2faad8ff24539b5dff66
SHA512121fa32abb1d503a9f7a1688842b139bb8a263a69b6974a2372a11ef2de91e80339d6e2f1781fa560402cd1f896ff7c7615dcf3cb9fce02b44f1a335ce941d1d
-
C:\Users\Admin\Downloads\Ogoo.exeFilesize
634KB
MD58a41fb170521c2a16743d094d2a050e7
SHA1bb83202fd9608149c3767fac43cffd466ff2341d
SHA2562466c2cb2c9d47c1d67e5ab07b7392fafefe0556d0ec0da14e436034c33edc28
SHA512f724bfa249949b763cf591f279a1063e6e0ef1f4fb49194d379518bddeb0b14fdcfbe135bc09774039b495b8efcba660a362ccb008eda0e6099d3a71b2dc65bb
-
C:\Users\Admin\Downloads\Okca.exeFilesize
778KB
MD5d654e36e48a6eebb40f6f0896e696790
SHA1cb3589839ae5b82c6f80ca17ee7bb326b6c6b8ff
SHA25602db30205b992650230deffd5b7d3ff07f26d119bd4c439faa7f3516ebee6389
SHA51272d16561406a0911ab486cf62882378d7e0fabaeea66649b4473c81d3685f32faa03232b9cc1a6ef78e5184f1e0587913dd54104adffd6a404ad64b27b0a93ee
-
C:\Users\Admin\Downloads\OsIq.exeFilesize
209KB
MD5bee4a76ee97b2360606c5ef29a6113b7
SHA120c90f31e8946dff087d46aaac96a77f4fcc9d3f
SHA25624ff8755b9bf1fa0b69206e8400a5824bafbb9ea57c32407916e709ccd8edda4
SHA512150f8967475b942ba255a23bef8db5ee0316fdbf695e429f381ca8841d47c844145121109b0cd444bc6abc8078f26c72d46620f94d51254027d172ae9deac061
-
C:\Users\Admin\Downloads\QYgg.exeFilesize
205KB
MD5055301218fdd050a73fb6e4fab6e304a
SHA13325055a4face05305ff43612a4812cb1aa5cacb
SHA256fd10680bd40332569b228ba5365e2de963abfb8fd1fed0641ac258aea6c0b82a
SHA51202748affa4a206c7fbcf0a8066568ae136097e043eba8c2d675e37de1cf7f50b90cc5b5a8a3389a5e5ce0cae406b4bfdfb6199ee181ba9e9301f214c45fe07d6
-
C:\Users\Admin\Downloads\QgAU.exeFilesize
579KB
MD51697cff4677b58c8080089bb93e95e26
SHA1bcc642f25497a9c4c346c2c21e4966c2051d039f
SHA256137126c8c5872006bc8a35e9653420d51de5251ff4821f48944d6b8c1d995431
SHA5127b464cecb69f374510df581f51586735ac3367ac4ceb15713b21bd0a1abd434cdbdcb0bd392230be703a34d70508890ebdbb7341a2071d6ce64b370c14031d3b
-
C:\Users\Admin\Downloads\Qkks.exeFilesize
769KB
MD58f08dddac56632a65b5f3da2971e2bb4
SHA1f7853e9fd4397c79f3ec443b9c039a24930a0ef7
SHA2565459893ef7323248cb18213b162682a8261deca7513f21358f06e523714ac765
SHA512e1c838e4cc774fb3ebdd987e93d93a3a9c71ef3f17b0e5798c1ea80e7f5eb8212e319dec5bf5278b3d3e45874c3221f86c49eaf89d41e2322fdaa740fed33ea9
-
C:\Users\Admin\Downloads\QsYa.exeFilesize
204KB
MD584d35a52c98d088dd417f5d45841b5f8
SHA18f107559f4e07c2d70fef135068fa13190a872db
SHA256933b15fdf382015793c4d81befd1b61a643fc5747f4ba223180a6120be5e157d
SHA512610ffa46d7729bf6d99f53f34d496dfec16648fe3dae0669a900049113d2dfaa2a8f3a8ecee4ec7c4fed9f38af3328bd37277faeca9cbc87bcc0587394c9c6b7
-
C:\Users\Admin\Downloads\SMkm.exeFilesize
207KB
MD5b7bc849acf691f9ccd99b1660941db7a
SHA1acddb09aa3ea467d6acae7ed9184f595de35ec30
SHA256ebf3e69497bd79b19f27f72f2281a6a376c2067fe8069364cab77136d74377f3
SHA512200d6944c5463e6b6fb270c00d27061e07b0154708965a9daa17808db1f4f8f5b9032115e9d8c70236393b3f293c3851303174130c6c6f4566bfa8fdc41dce57
-
C:\Users\Admin\Downloads\SQYe.exeFilesize
204KB
MD52c915895819f08531fdf9cd0700bb320
SHA14ddd2aee759003d004f896b95f44420e96d50182
SHA25613e86de45deac06bcb9ce295138e72fe0fe45bac20a063fc6dfbdd6f2f3f1aa3
SHA512edf8067584803ec736ded7d69d26fae9a1a582f0d4eef3de2518541f99c3fe10ca15691fdf1e1a98445b5ae204453fdcd44e0da710a2b1c63f5bd5f8c8f708ee
-
C:\Users\Admin\Downloads\SUEc.exeFilesize
203KB
MD54f28e047276a270e7e67fddad1a9b721
SHA19255bef0e5da203a4595ec8881007c541f1d1019
SHA256beccea3c57284584b0a923a4e23d37641abbabc0d61f15b71af014207b07c5fa
SHA512a11d92f2066f7b91541caeec5141df503433cd42c59327e0aaa985d6439bc0d83109abe5ac942743744c3f889571b7a7b6906307f315e55c346b33a2198c2344
-
C:\Users\Admin\Downloads\SgwA.exeFilesize
614KB
MD5bfd6ae8753f0123fe0181a66364de79f
SHA130cb554c8bc6e77bbae07467c41dea3ec907e48f
SHA256eb39a9779234480d57bf2b84337212d263fb5332fd1ff05b37475e81a002bf4a
SHA5122322e62da49af435bfd83fc6976fb123cc5c1488177fc77347bf3846cbac9219d3e7fbb3cad27dc02ca99287eff2bebe554d656c7ad4ec5314cf480c44daef27
-
C:\Users\Admin\Downloads\SoUu.exeFilesize
540KB
MD55ceab58a7cd0ed18929b7c3b78a80f15
SHA1f745d91ab772cca11aa954be5ca729e251cff352
SHA256293b4f4549be2bb59a3b363e36e1b5d95d32c330404fe9bf183e6554f7aa93b6
SHA51223d1639c85ba490c8632b286706813ebaab4ca16e46a6f1aa5eb4bec8ce71d7560d4a65f31347245ef1853bd8ae362ca6831effa136f653d6da379c0f2ac8857
-
C:\Users\Admin\Downloads\Socq.exeFilesize
437KB
MD5c5d033eeb3630bb9cbb7be199f2a4de6
SHA13133d23036614f31f1a40ec055c39065ed7ba3d5
SHA256cb8ce26077654056744d315877d9c26e6d71bcc338c1478f8d3e45d2e4fa0fed
SHA5127a9551eb58348d28c25ae221c98619a259fe0dfe6f5c2d2ba1ab0bca7aaba8257437dd95e5240d952c46c54ca5f03aa4ca05542d263f10a06fd96e3c4bd0328f
-
C:\Users\Admin\Downloads\UEwo.exeFilesize
196KB
MD580d7589a2a6ad895d5156420e1a6b7f4
SHA1de734c68af4ac71a48b78a8dfa9ae8adf375e526
SHA25642562ac6c1ad249d911d4bdfc4c4431637155d6a19aec867dc3b80ba1b71bc80
SHA51265ea6edce875b3d83add51585372eb81cec7d33eec6e5df46ce4fcc2b69fe39d719f4fc17195d2f01ddb0146221d1b3145915d76a54f8532d8587faf8304c4b0
-
C:\Users\Admin\Downloads\UMkk.icoFilesize
4KB
MD5ace522945d3d0ff3b6d96abef56e1427
SHA1d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA5128e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e
-
C:\Users\Admin\Downloads\Unconfirmed 365590.crdownloadFilesize
211KB
MD5a933a1a402775cfa94b6bee0963f4b46
SHA118aa7b02f933c753989ba3d16698a5ee3a4d9420
SHA256146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc
SHA512d83da3c97ffd78c42f49b7bfb50525e7c964004b4b7d9cba839c0d8bf3a5fe0424be3b3782e33c57debc6b13b5420a3fa096643c8b7376b3accfb1bc4e7d7368
-
C:\Users\Admin\Downloads\Unconfirmed 444495.crdownloadFilesize
194KB
MD58803d517ac24b157431d8a462302b400
SHA1b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA51238fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
C:\Users\Admin\Downloads\Unconfirmed 598467.crdownloadFilesize
2.4MB
MD5dbfbf254cfb84d991ac3860105d66fc6
SHA1893110d8c8451565caa591ddfccf92869f96c242
SHA25668b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
SHA5125e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
-
C:\Users\Admin\Downloads\Unconfirmed 785139.crdownloadFilesize
184KB
MD5c9c341eaf04c89933ed28cbc2739d325
SHA1c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
SHA2561a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
SHA5127cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b
-
C:\Users\Admin\Downloads\Unconfirmed 989410.crdownloadFilesize
84KB
MD59d15a3b314600b4c08682b0202700ee7
SHA1208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA2563ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA5129916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3
-
C:\Users\Admin\Downloads\Unconfirmed 989410.crdownload:SmartScreenFilesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
C:\Users\Admin\Downloads\UooW.exeFilesize
199KB
MD53ea16f94ae8f026612cd7f4a1885b974
SHA15921eb7cbfbd1d2f0154d4a4996887f9cf7e7c2d
SHA25609859f205c04094371ae6eaeaaea39cefbd408110fa226c809b05bf456c9b12c
SHA512b30e0e71aa6318cf7338eb4c25d875f3851e1f0635e12e39ab82c96ada4e0a233eecedb1cb50a37e912e46174eb16ce2254eb9d012dedbd130dfe9adecdaa971
-
C:\Users\Admin\Downloads\Uowc.exeFilesize
658KB
MD5449a420ee584e07f950bb1853db2f9d3
SHA114df874fbcb8a0aca6248672712244f0308d2706
SHA256e4a09b8260d4ad8c0219e05375bad99e4b98bf95ab050f0f1a173dbf951845b4
SHA5120767fb0714e0eace8e1a02efe505449a57a2e0a34644b588aced23bb578ef234bd84c38bc0a2890198030978d7997819d3580b232b7b3092504eda9c7bcacd7a
-
C:\Users\Admin\Downloads\ViraLockFilesize
6KB
MD576e08b93985d60b82ddb4a313733345c
SHA1273effbac9e1dc901a3f0ee43122d2bdb383adbf
SHA2564dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89
SHA5124226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d
-
C:\Users\Admin\Downloads\WAIO.exeFilesize
5.9MB
MD54f7b6aea0cefa9368e9c46b7dbe4a5fc
SHA1bc11e8c0e08c1fdc705d6583d24159f95a87ef10
SHA256e183594816b62ae9bc7ba799b579f15162537c9ea1179250c7024407ea7bc107
SHA512d1c9ed45ac516df4c2f6ce2c1ac3d59bd06ae5df89b6280317edc9362f837dc7065626c783c175e59242dc19ea7bfde2039aec7130f59f28a00de2e320e92e75
-
C:\Users\Admin\Downloads\WAQk.exeFilesize
183KB
MD52b9912c3b594f1a9c1167799fc72dd66
SHA128f0d81469486d27a6988544b2b40dbfa1ddef4c
SHA256e9e56f0e6212f3e4e546afc31cc41c53b432d8b7855aafd3a698f536662a5bf9
SHA5125a2e36e71821129bcc6696544e66d39f9f6f9cc9008d56c27e9df2368147d4664f5b5cd62b027488e6298ea517033cdcb9e7bfdebb3e1a93ea788ee80951e9a7
-
C:\Users\Admin\Downloads\WMIi.exeFilesize
2.6MB
MD53a6dfe230cc53deae586d8862e1aa94e
SHA1abdb660e1a7bef09fcf6a276e7cacb0341b0b4cf
SHA2563ca7f19f02494cc187b8b2b704740485fa4096207a5df9cc53c6505053101946
SHA51215947f8b585f1e20bd2b828c3fd38a64e78961eacb0a6c97a28f94ba3a9c3504d8b8cc8fd4ae4e339274096736c7b1b26f5c5d7f89c1115b04db7a0288141945
-
C:\Users\Admin\Downloads\WYkK.exeFilesize
1.8MB
MD5e920324677e116cbe818a320a55db220
SHA1ae54ebd633464a1e6110f5a699716302a1cb826a
SHA2569a5625cdca844b2ba9351bd7200d8a10ab8182aed0e0a20970b4611bb523d2b0
SHA5120700072bd807f543aecef66ae054c120a8779de844052590a0a2bdae5cd093e7cb08fb383c814f1bc8cde4d25c010ae22b5e98bc0a702877050ead479f50cf42
-
C:\Users\Admin\Downloads\Wccu.exeFilesize
193KB
MD5044001594171468126dc33a8c7e6fd54
SHA14e0abafde8d6614ca77962d486a1a08c9dac7359
SHA256c0f0443859f1a354008f4de642d3a55429956bf56e981941c9d5d718f9e314bd
SHA512bcc3e55ee4e2bc3581b941a4c170077bef6798576016f5512883bf62791cb8cf08a6e7f94d9aae26e9ea28ab48f6aff1670247c44f9da575a10f21d93c24abe4
-
C:\Users\Admin\Downloads\aUQM.exeFilesize
196KB
MD53ab734ef823606326115ae62b6d8edb8
SHA1533783164079695d001a234b949f6960921b9c2c
SHA2567361050261eec0bb9e8112aea82b413d343eede39fc30c3b0b1b4fd4b605bfeb
SHA51213ca625f595500044581d4692e89dcf2baf89f9dba8148e91ad947cf510a0fe359e309c14ef2002997624d2fc51de5792c088c212f71f6dc174556731c8e0aee
-
C:\Users\Admin\Downloads\acIw.exeFilesize
228KB
MD5bfece13594b3b072285c753ba8d16b29
SHA19acc79e031983e04ce0d1b25de656f656e21bd4d
SHA256e171cec0723b77e473840703ff103a5cc72ea4e3cf22e4760eb7aa720c6c2f18
SHA512a7bb721d4452647bc7f56e2d3bf56897010130111ff76201c0bc561d8528471834a8779711719ef99032fa72817a100adf9da3a560d48f355bdc6f938178c4f4
-
C:\Users\Admin\Downloads\agQk.exeFilesize
638KB
MD5ed617738cadc9d27286d61a56c5ff59f
SHA1d741c42697b2ffe5c7a0964c77bc4c703218b8b1
SHA256cdc252f499d7e66153ab506c813a81f72760e72044012e6ec1bd08eefe262a72
SHA512be3f488225b2ed0f1e34868ed57ffe411390ed80536b4001fe20ba32ea591c89be41a0ebf64996af0757a154797ea7b0a896aa4eab286a43d462f13acab4fbab
-
C:\Users\Admin\Downloads\asIm.exeFilesize
576KB
MD5db020a98a21e3407e0563dcc70288bc7
SHA11c2e86b8808c258af3d0f6dc126db03a0017bf01
SHA256754e8e0989410aa7d3bc8ae49607e65ce5ebce80513aa8aeeb230e8bbb6d08db
SHA5121f786ead3281fc89911736bfe525900ef60c9c3c12d04f60f4dbf9ea4be07207a97eb31da9cc797aa37fce48445ed7bfa825e9ec1e25bb47e313ebd8ca50a2a3
-
C:\Users\Admin\Downloads\cAUA.exeFilesize
703KB
MD5afcc7894c24a5e19732bc8c4e7fc2379
SHA1fe0d2d3bf579caebeb26efbe2c76ddf913725c77
SHA25658d81c3e0f6301e7c694f170f016fd23d309958f15f13f08d96ddc15f7ade6c2
SHA512d867cc5d6c06a113bb4e685d846fef76dd139ab47ede0f02dc53cd1e270e0a5c2ea794fd79163537a02ab897de2b2a3cc4be286a32f6274813544455fe396235
-
C:\Users\Admin\Downloads\cIgy.exeFilesize
598KB
MD57cfc1b663d8bc6cf63ed7ba4e44382f6
SHA167b5c74f40f7fc3b1b11e60f1b97aa4871c2764f
SHA256199efe94abee544096c2849c9767bcac2d4067f3a54d0ac14eab381185975204
SHA512b12c0ff6aa0cb4a482e23ad78992a766ee124cfd22c8d5426f3d6f5663ce6cd30346294aac8ba9c3451231ab392c1880dbd45d05e9fa0b227e33a2911870e8b3
-
C:\Users\Admin\Downloads\cMwC.exeFilesize
199KB
MD50b9a5908ac11c89fdb165865a0b986d8
SHA12278cf2f0ee6b719a606e0750d118fc22b39a230
SHA2560d7d6e77300a418dcaca46a97f960cc206ac67d57be1d226bc5f67779766ef89
SHA51244a340e6e9aa0f26e312fe2116d10ba28e58010be6d54577e13bc23829d5b2428ae8d842afd984a9813b9c20b233dbd995c28956a2729594345166f1a6d2795e
-
C:\Users\Admin\Downloads\cYcC.exeFilesize
208KB
MD5713da8ff672527ef70a65e13afec3f95
SHA15176493050828390c557eab57a090681905b2ecd
SHA256a4d3ec965b484b5737cbc81b82223333b40441535028571ddaadd93064a80b61
SHA5123b8d28bb21ea23218a7cce87a6c4cc4bfe5fab3e0abc29aefef2e832c80d83048df7131df47d84a41c7ec64324c306b5dd5cba320e1852b2a6f1000d75163c1d
-
C:\Users\Admin\Downloads\ccEG.exeFilesize
569KB
MD5bfda78158899a9dcf41c5937107f81b1
SHA1b49a4c84b85d4f4b0c2cb373e80e271d5a6d3b1c
SHA256253caf81d8edaca9ec7e59227bf67686daee1308537e8447694da8a411c2adeb
SHA512d70515974c927901cca0f9fae731b2077374e8d33dad15ff19dee35415e67b40103c40b9337313bdbfc58f5b8e65d1cd6fa0930627f1d4f476d89ad0aa251b6d
-
C:\Users\Admin\Downloads\cgMC.exeFilesize
205KB
MD557c81c0f5b2d9723484d265c024e08a8
SHA1be01799038cb7f3cb8363f4a8968bc31ddfb89fc
SHA25668e3f372adea2637397b0429c960a061c822cff91aaf3ff1d6fe4ad5dca45567
SHA51235b112f95391f0cbf6fdcc67541614393603828a3605743213354e73363f2dc6c53493ab06b2ca90e5ba6cd45c1d9cd9c1e6682dba394b12a04c1b348d9b96b1
-
C:\Users\Admin\Downloads\cgUs.exeFilesize
202KB
MD5d067392bdae346a55d774c1552fdf9e1
SHA1582e6d3d71ff97a10549a5bbb03f4b22709ddc5e
SHA2564dbe571a69db05a234cd6384073f3958acf88f5622639548580bb6de18bc3aa2
SHA5124a2fdb1da23f482d5659ae2cc74717068fdef56eff5651ffb50fb4b1eef347d36620a3906c637191484e22f80a1d691cf6f91f6a0b37c42dd7386743834d2ed0
-
C:\Users\Admin\Downloads\eQUK.exeFilesize
195KB
MD59936965f87e75110e4d7b4abe4c37a9b
SHA1142b5848f17c1656737e8cd955b1dbd287bbb59e
SHA2569db2557ebee01b64d610f5f8746a3b391373dd3db25308d88047d0d13811ce50
SHA5129ff1fdac50f68acd0c27bad1340e63879530270eb0eac41cb3a95eb5db3c5e84fc2a1db7cc86b2d678a1328364c50a99a1c150487a6feda0a485ae05a611cdd3
-
C:\Users\Admin\Downloads\eYYK.exeFilesize
218KB
MD522edfc99e387a2d9ac63dc6acc064c69
SHA1c7a9ca60cba25baaa4c984e7ed4511e404709bba
SHA256c71296d2d9b1fa0f07178632c856c6b777ad77e3e9c4cd62481bb5720e36acf5
SHA5127bae63f1bae49797e2152155b65bd7a833ce8196e426b245d8cf4a79102780a5dce99f514dc05663fdb8a8d8abc0de2a6b9fd6fa20ee51df14807ae8f5a66bce
-
C:\Users\Admin\Downloads\egoS.exeFilesize
645KB
MD50302f7361eb62c4a52dcb40cb972de12
SHA186e1b45926686fa70c2121ed8fc3e522162f975b
SHA256185017d03e6b5d5aa93ac9a168668d094f2cf5b60512eca54c22201ff64d7780
SHA512844cca1af4c34c99f2523b924437f3c9ad3f7b64b8faa5bd8971b1b796385844e820c18bbc96b9791e708d5b823b539370b1f6ae4fb2f4f9c809d10c71afb9a3
-
C:\Users\Admin\Downloads\ekoA.icoFilesize
4KB
MD5f31b7f660ecbc5e170657187cedd7942
SHA142f5efe966968c2b1f92fadd7c85863956014fb4
SHA256684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA51262787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462
-
C:\Users\Admin\Downloads\eswk.exeFilesize
193KB
MD5ce4ca69112cacd4676e7b3360bc2e698
SHA10fc9e953dafe5e7cc20579767a30588e1e8312b8
SHA2567bef15e76b18ae76fe0614bf9f6478bb2d72d7fd42a56ec0d8aaa6f311154450
SHA512758b5e0f47b384e105b57fa180fc1f0934b7a46b9ae301226bfe350e61e9c0b7e750ae0c73947aa20c58abfa281b251d29c7a08665f2f5abf7c865a474e8e2aa
-
C:\Users\Admin\Downloads\ewoM.exeFilesize
200KB
MD5dd5790dc41df544a17b4cf233aeb66c2
SHA15dff8f8913427c7c26548c2da4eb6e17ba932033
SHA256a58e0b600dfc2c732daacc0a7226b81a377390e5da4d0da97c61f54054f539f5
SHA5124d4d7a7275356c0078223213320f25f746d9a7b80332893d68325bc369fc7ce0549dfcfd76549aad3951567ad12a981d706d800dee1bdd60f8b6d48b207bd98b
-
C:\Users\Admin\Downloads\gAgI.exeFilesize
225KB
MD527a572b4fc7ed757ec9a25c77e02ee1f
SHA1dfb5ed82d649c1c53afd82383e4f26f860584408
SHA256f5c173afa44a6bbbcd7d72d317dbc16c248f8d45f5c487916372fa0226d205b4
SHA512860fdc565d13436b9d932b4286d49fa0ec75c91e3e7017789a75f34db4f6bdd8ba1aa23170a3818344e4119a205a5b51b4014f9f18e9000397dfe5c1e5a2c5e9
-
C:\Users\Admin\Downloads\gAsc.exeFilesize
189KB
MD5f3318750898b3c5f774e41ca7874d03d
SHA169a730e87727cad268b86511b332c5a78cfac3bf
SHA256587930fc1b1669a4382d20fe3b142049d7d85559d32f5965d60579880bd90a61
SHA512d1ce83b5623009021309c1afccc6be65de77fa48597c1693bcea1190fa6e47faa28b40186cb4ebe8065947afef8340be594d6c16f9ea5b62aaee7661d5de6ed0
-
C:\Users\Admin\Downloads\gIUm.exeFilesize
193KB
MD514ccca467f29a2985c3b74b5ac6da3ad
SHA1f0913626c131cf46e48fe3f5f3e9ec1013f7f66d
SHA256f9cea26eeb9b0632009c6581eb9417e7eed0285885644026f6a73c060f86b095
SHA5125a59256d81994bf295c48a446fa570e5156910eb9ae46015545116c179e091394bdc93282485630f447dd376dec7858eae2d68c5e4101862eb50b7849d8a75e3
-
C:\Users\Admin\Downloads\gggQ.exeFilesize
809KB
MD58ef820ac9f8e469391f5af70894fe5ce
SHA142518167f3ce5543d1d8392909d164bfb2cb1023
SHA256f55fbf1ef5b08e77603cad048df81f1f063635627cb3eda0f824b234ff0bb3fb
SHA5124f86c40fbaa57a80486f63f5022e9318ba0bec93b45fae3c4199684eba6f130f263a902becd17da5f61b86e4214a0bdfb15f48e7b7e15a0d2941c9fd3d4ede7e
-
C:\Users\Admin\Downloads\goYE.exeFilesize
187KB
MD5ed319407ba8abae4a34431db3da1eabe
SHA1724052be67d94f19d6bec2843df684eaa815eb1b
SHA25617cadae0ae2c75efd6aec1628c48cc467cb945033a436ca87937285ec01a137b
SHA512a17bc5b453be74b819a03410eb25d5a83c597b0a88d060fb7945b7db71f8138f133a783b818feb319a47ead1138a40d4bbae2b01d8c311fb73c21d57f4c84b51
-
C:\Users\Admin\Downloads\gwAq.exeFilesize
187KB
MD50e13373d68b2440e20b23f1d03410680
SHA130b991f2173355468af9b09fcb702b425a94d924
SHA256801ef6d36f14a4228e499572f711b12a8f00e0e6389e611cc0f3526e71228bff
SHA512e0c0f1a48ef0ff16079e077edbc2284f516ea5d113e793d541dd4469b30ab010708defda3bbcb49c58dc5f74787eced305eeccf89111b9feb374530dfa4c01f6
-
C:\Users\Admin\Downloads\gwIO.exeFilesize
204KB
MD561c982db4a386fbc09ce849a33840478
SHA15153c12e8eb6a1304a9b07cf9862cd6adfd18c5a
SHA256eda5199c9f91a64b31ceb4d68741b7a0b79aa33c7a814285b630a31b70d82dcf
SHA51229d8e099b1493ed191a05f957ad2c1096431d3a9799263ef4d96a62fd09f8f32102c4b501c0b0c39057c0925fb66167e454379d812a4d3dc66d9a4dbf10271dc
-
C:\Users\Admin\Downloads\iAEE.exeFilesize
203KB
MD5e8088d7d0d6be46ab998ddaf42877bf6
SHA1eaab70d2f836d5d78778d64c0d14f826712d1f18
SHA256cb8f52be9151524bc21aec2b76b03216a20feac953087004baf4a0e41bc113b1
SHA512b2bf094284ef929cfb6f8e6ff3417d0d2641f7143ef3e30635825f615b81ca9ffbb59cfb631bba14f745d061fbe77ad7377e64f8c8651397c51f971f99289940
-
C:\Users\Admin\Downloads\iIEQ.exeFilesize
213KB
MD5044abc7758c203bb30431730f8622de8
SHA1ecd01fa41a19535fcd0d81db27a3a98de766becf
SHA25615b37f1670ef2a4d33ba41eba33c019e3abeee53a95979cf2460e274332a12f9
SHA5122a20417ce665f74450d83b0fa84bc11d34d3884abfce6a9623f66730b0e1e4b8ed432018b3dc48470e9f08f05a85221ec298f5b2cd837e7fcc8728dc5e015354
-
C:\Users\Admin\Downloads\iMIy.exeFilesize
205KB
MD5c1c26a3c01729f9799df8473a4d2e176
SHA1f55ace29bcc940854e9f6d4489453fdd8b2894a9
SHA256683173791a0f834e32af08d9633b881760f99c0434518d69aae49a97b8612179
SHA51288e77152df3fe1af52b4d425d4f20515b47448dc9798eef5c6b1cdce1c82a19b3739c861501f13922b3dbdc431810bb3638e90f7d7d950ff489d8da42b6e0b95
-
C:\Users\Admin\Downloads\iMYE.exeFilesize
636KB
MD5ed6d7212791e93598ea20627f3906c5f
SHA171fdc126e1d0699300c1cb590a6edcccb85d46b2
SHA256dc098d7986ae035c09e46d75d500f892c22e41d6fe0acc8b41cebe48403c28bb
SHA5121bffa292cff081c72073c614a7609b985f2e6ad7365efd61fa4859995e92a0de32de4d7ce282198d36e7e7984b3f5f20e4d7385079a2a19e3c4a8eb71ab7952b
-
C:\Users\Admin\Downloads\ikYQ.exeFilesize
540KB
MD59dae95d2baca517dc2c1e20bf0ca701b
SHA19a116f2c889d246d441e741e9a4d77b8466f5c8f
SHA256128e1ab7eb47b56240f69e7db407d93bea5453cd4940a4fb8efac720e0c007f7
SHA5127df1ec072e21d361afca10967eef439a2cfa05f3891598e1bcc2466d2450c01c649d3d21b683b519175a92259392bc319d39f1408c2e5b9cda14de9e57d611dc
-
C:\Users\Admin\Downloads\kAgK.exeFilesize
200KB
MD52cc9a8647f609b94e3d09bd1e283194a
SHA1e5423794a5462655b0986428592c52fef188c285
SHA256684002bc32ac650d1a8a3cde3d1623646c61c61084d43f2be513935dc56467ed
SHA512e4c1499de713ce948ec61aa5bebd68e6882785d0a0a2f54db61eb38e6f7af8ec33c29ea1e32c8b05f1831e4cee7da417a613f8435596fbee6537d06f46422ed7
-
C:\Users\Admin\Downloads\kcgU.exeFilesize
195KB
MD5cb3fbce4d3063ae3f6a8ef663777e0a2
SHA1a9f3c5c4f38155331eae79262d9833cde7e2fe26
SHA2569eceb73087213caa6516fd4aea646109963a37e9f6169304bddc8c7c4c0f3ce6
SHA512b9d0c3f52c1a1c3fc7efb7b9676a64dcb612265dedd86d611a93f5cad736d4325d2fa0a0834337c93a328f052af4b20b5ed805ece9d721115da684d26700c5ca
-
C:\Users\Admin\Downloads\mAko.exeFilesize
1.1MB
MD518b701eb3b0d05a7f9cdedf845fd1e6a
SHA15660b782ab02443758c8edc6edfdb0bb2bbcaa70
SHA25607b1248972cdacd9f2673b7225fd34666272625af64290a50e3315e16f1881bb
SHA5122e5fc41455e47c574da189567373310496f8e3758048949b0f68f63578de3790ccf38729fc6c700ce0a78daaf955e3d615d45ebce521b1e10bdf1b44e61afa6a
-
C:\Users\Admin\Downloads\mQoA.exeFilesize
189KB
MD50f86d3606dec382a2144dc3a364a34bb
SHA14ce55766fe609189d1db1b38a325e1cfc20e65ed
SHA256de80d087225348dd3ccf7bd643a469c7efe011626a6966c736c1ae843228ca42
SHA51287f839db9be9b3031c79d35238d697cf9d0cada33bdf87bec92c2371b04f71fca727cf0edd238238b89348d19f30de514cca3352dd54008b13c4b42c922767a0
-
C:\Users\Admin\Downloads\mcIm.exeFilesize
806KB
MD574c628c60ee3e90832548680f9493055
SHA1005e12d68344445d6b2a0d97da6a94fe436a33f8
SHA256aeace64d9f2c25f7f15b252bad0aa4027b42d513c0bd8883307c0c023bc81f85
SHA512c3723107bfd75d202fcb9bdb51d3370a3e8354ea3a16ce0c2525fdbe1a00bee0568effcc0d612ffbe44dc700a9d9dff6cb7585207b2b1cab6a3f3f3cac0b71de
-
C:\Users\Admin\Downloads\mkUO.exeFilesize
180KB
MD5886421ab0d09c6708bf4176bc0bde4a2
SHA150e6b82e4396ba94920dd243d50f8485a9a5a040
SHA256d164b54adbd4cda5dccc76e94221fdc7f36af93779dee1f2ac8b2ccead8335e1
SHA512f8d88d3f46e8343044feea9a47c4ff446981372d8d817a31694f6c2f14a1379d9f2a4394041214509a155aaace4f293e1f26932e89f4a0b5eabbd15f50f662ad
-
C:\Users\Admin\Downloads\mwgm.exeFilesize
196KB
MD5a79b1c07d39aeac7a26bfb3184cb093d
SHA132128aa761586a0f08abaf387bcfff4da3a0c4fd
SHA25624ff98f98fb50ed16e7b5bcd3614efeeee82119c1bd5bfe35bd32a08ac6f3a9a
SHA5126b5264608a3c802157e92a26d2777f73de7d0ba1bf7c704bce0c234e2f24891a1f07c160bf7864aef1d0cc5ff11d5f21aecbbbd711bbe0291655fb9e54bd07c4
-
C:\Users\Admin\Downloads\oUIM.exeFilesize
190KB
MD5e58c23d0dbffc6af7c2b2d85feffc1ff
SHA1216dce97eea50b2eed28a791a892f7a1cb5a24c7
SHA256280ba2ff74a724656c4dc78a38dddabada876717bd41f9ed2eec94aa82ef7c08
SHA512e626e6446e22a329830f1343de4485b0a10942e93e4d6094c844c2d070f17ac865ad2e4db8a41680ad7b0cac764abd9ca93d149d66ab4c45d9b81721f7705a78
-
C:\Users\Admin\Downloads\oYoI.exeFilesize
196KB
MD52330953eef48563c9b784f85d5f186df
SHA121f2a78ea3fa05052d089b677c753d5e3c4ef4a4
SHA256fd883437d23cec919a6b191d820d0f1962f131aaee0afddf9163542a7010a855
SHA512e8b359e49884341ddc81274c9104c2475ffeb9d9e86f48cdd06a66e5ed069136d75491be655a656e781c0acbe6f65106cfc334b9eb53264207863671dd202d67
-
C:\Users\Admin\Downloads\ocII.exeFilesize
203KB
MD58e728103a6e9d6e9171f213aa1191e6e
SHA1274ae437c69dfe5511a9683b3456e4cecfa0ee47
SHA256b22a82d1991800d3c84e7c9d0c9ca455eb4bd62a1701876f472311760be05538
SHA512be5b9695174112c35b2258aa3817d035a6633192afb0df36d9548984b0f1a290779afc9f5152aa707b3c3dbc7966eedd3747bd3d4be94d52632328b161e8d6b1
-
C:\Users\Admin\Downloads\okku.exeFilesize
693KB
MD55d6902a70127d59a1805bf3173dea9c9
SHA18df75a1e2fb4edc24d648625fbf697f08b0377a3
SHA2563e1e0c56d7d31abad92800e8db1e8e9a7efd6d01e06b4113300139ad4555a6e9
SHA5124acc09fc7d94ac437e39ffb53cf3326827f986a014801b72cfa69436cb2493f9ad5c7d313181e004414b151d98b48a1e5d0ad734ac621594bcf4d79be7ebc4fb
-
C:\Users\Admin\Downloads\oosA.exeFilesize
652KB
MD588fbed3b800657ae2ebf755902bfd462
SHA16aaa13aa5a37310d8bad8c9e853c2c599ca14d27
SHA256a4a76d120154cf4dc81c2be59733fc77266d2471b256ec6446d65e817688e8c0
SHA5124c4f958e109f371c126a9b14c9cdb20aac21aab5c1cf8a38e76ffd747a78eca2f60f715d014064d1c107ac9a654f80476c45291dfccfaad209bf8dcc131913cc
-
C:\Users\Admin\Downloads\qgsI.exeFilesize
228KB
MD57dfc7540b17d51028a75d81158724c80
SHA1008b6082e7d7f1f96b1ccaac22d51ddfd92a374a
SHA256bacc4274e447d7190a565c71e8190f7d185df8344eadfe04df28d6dc8fbe90d8
SHA5120995b953a3d403c62e97873d08e820fa2038416b52791de1aa1dda4dc1b68db4fbaa24a02ae969fd5f9a61b3bd4f036294d8b1df626922f19332171fe52c4fc3
-
C:\Users\Admin\Downloads\qwMC.exeFilesize
806KB
MD5b40a758d7fac055c9d50827d6ca53306
SHA1be1bac91308caebed9010e38e93c826a3d5002a4
SHA2569f891bd09c1d1ba8658af75b79cb7cfab4cb20f8d7ea4a39d32b1efd57a28955
SHA512f9c1294daa51f67d863f2ac678c8bf90a454bab441f05640b726913165c42aa6e2fd523da8ab945c2ed8087497586d390d01084905ae0a8cc1541c7aad9874bf
-
C:\Users\Admin\Downloads\sEog.exeFilesize
396KB
MD5b1d6026bc9807b80d01494b1a5fcf4e9
SHA1890aaff9765e160c94df83111fecfc8b47487c44
SHA256f8eca1b8b63b1388d7c846143a5c932fe747c9f6fcd5190f9d185b8a37f43a0a
SHA512680301401ec96d160a3f013aa8be52f419085f356480fe9b9894d0fe8cd43754fd15d97e2a923bb47cd60cd89efb09e53592358d8aa61d1c76811aad62b6eb81
-
C:\Users\Admin\Downloads\sIAC.exeFilesize
192KB
MD5d45daf7ae4d3cc8fa7a60b056f28f3b5
SHA1db07e022f5807671a61e3531a5aed61e14e3b931
SHA256211eb4a4413a72961212ba0bd349dd1307c8f810064d96d6b2b5a4bb72c6ec58
SHA512388e90f13a02318ac565959a9126de16e7765c3da485dd251b8b1f61cee9b4ab0d2b5c9c144869083121488d149d24993a6349da253c04aed6e6829a2c3ff53a
-
C:\Users\Admin\Downloads\uMYy.exeFilesize
847KB
MD51ca15098737d650872063279f881469b
SHA127ad31c304a335b5c4318c6e2ecd8a136326b689
SHA2562e549f4ecc2139d60e89b33e9010addcf9ae57c6ab3f1a9408d4e4e58cfff335
SHA5122467e61b49344810277c777c445b0a563b6131e9566f68d1efb6e34457c11689393d2aef31777ef08fd210974714dc3c6174d192d876f6d28c73e661c0e4d1ed
-
C:\Users\Admin\Downloads\uUcI.exeFilesize
198KB
MD510302aa6f69112df23e07c2ba4ec54e5
SHA1950fd1304707e1fe9c7988971ebf5bc515027d2a
SHA2565d158c5b9f7fe36b09ed28553938e6cc7179d76503e474c59143759541be8310
SHA512e521a6be87ad2ecc7ade04b86bebfc1586eec1f51d1a58f374a7e76b35cecf25680e481bbc5e9d521e1b176bef85f1f8a016400ec4718e0877f1780934cdbe87
-
C:\Users\Admin\Downloads\uUcu.icoFilesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
C:\Users\Admin\Downloads\uwYU.exeFilesize
329KB
MD5d029c694cba9971284fd75bc598550d5
SHA1ccbdd83231864ec1225e8eaed31729f3bef21da7
SHA256de363f9c711e24f2d202006ec28583798c831836e9b8c0d1bae2abff2d428242
SHA5129f53cdfe29c26b98ee182207ad299ff5a4661b2ca92900eecc3f28c12a8ef22fbfc6948f6c7e7e1b19ff4e00a934664dfea8022e5048a37646f871303abc9b72
-
C:\Users\Admin\Downloads\wEUC.exeFilesize
797KB
MD5a3efa3e0133349bb0956170cd596ef74
SHA1ee9957d3928991c4c5a3c0669810bd8aaf79a4de
SHA256966cfd36a5f373858e7cf92d5200fbaf4e7d78fe5222189b1ca33ea28565ee54
SHA512210b246bfa330db72eafa7f9ea102fc630a35e6974f2eb3f76962ffe46204770649a88612ac6cbf3e2063cd174b62d6ce0f3e4e62eba67cf14eabd1db4303aad
-
C:\Users\Admin\Downloads\wMoK.exeFilesize
632KB
MD5ff4c7c5874cfbf478a69d564cd015b02
SHA1705034dc0ec9abb7205fcae0bc404ec8342198b4
SHA2565ce94788cf3d530e6bea65ecf3d07781a8618b033cdabe27457142999060ee50
SHA512698ed5bd20f7314ac0dbc3ecf12394c1135d92bb28589d3b36c0f69763101a78232eb0777d06220901dda9b4d6acf03c6e04c1e853654e1fa9f62e6dc05af67d
-
C:\Users\Admin\Downloads\wQAM.exeFilesize
222KB
MD5c1702974f50910dd791b9472efffb7ee
SHA118c0e79ef08991df31c61ceb9a011e81acc78b95
SHA25614c694c8ca783bc56c8668912c296a1ff73e2eece83f9d7ae6b7e72c3e70eb8f
SHA5122fb5247cf76d5ec56d3a8d38f543ae600cb19fd604419b48c5102925c6ae1a755c7380efffaee717960b4ba5d2c562231dd854c6417b9d5f135f56f2264190ed
-
C:\Users\Admin\Downloads\wQkA.exeFilesize
187KB
MD50c419f3c6e66c05222e9a4fbf7f0c026
SHA1bb884a02531e8ae07bdb6b6bae0f6f88598907ec
SHA256701fe03fdf04a80a5c76b72dddd059231c4394a5afd54e41097aedf5272c04ba
SHA512be91b0be6ece2350d43839dcd574d9c15ec83ecae6de253e28251b9a2b31b53a1c6f62ba79757d38285b0e556d6e362aaba2a02bf0d248fc69013286737a47f2
-
C:\Users\Admin\Downloads\wUsC.icoFilesize
4KB
MD57ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA17b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA5122f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6
-
C:\Users\Admin\Downloads\wsAq.exeFilesize
456KB
MD5e85d984a8bd8c291cdc86e5f67648921
SHA1052b3d1035105351dc79fc0918c033fdb11feabf
SHA25658fc639bfa2462327bb2ede621523c4fec6b406e50499e61e5baa3947ea461c5
SHA51270645453cf6d349a8741baf77a610654ea8609c9ee67d1b7d01ee58e55c9cd6b4360dcc013052cd22b6f1bf1d851dffd9a6a6100bd3d11160f5a76bbe192a8e2
-
C:\Users\Admin\Downloads\wsgY.exeFilesize
208KB
MD57571d6882c51a355d125f032c9418cab
SHA10c65fbfd172d9de07a268006926154170e4e3bf2
SHA2564467518955ecc78adbc1b33d16307ffb5b7611a71b2abb64da7b9cc5301ff4cc
SHA512d4f4bcc5f6e41aeffa882b6ce3b737cda5c0f230cfbc4bdb2a39e486a1e2a5e6e9719c3895b3ddf5adc124b891b8b873d914cf19f4f7016a9d35152653fad69e
-
C:\Users\Admin\Downloads\yMYK.exeFilesize
209KB
MD54101a8cf5c8eecb3112ef0f5db6a5592
SHA1cab078557cb3f65afac44cb3fc0fec94cdffaa7a
SHA2564606b7f68d2eeb7254f5a2b455644684ac6503d9cad5958ebbf3e914ab8a66c4
SHA5128d19063d7986179cfe7f4b3fdd2e5609a458f44a227315a4643560163fed26f58bc997840577f823faac7edb3aaed9dd158b35ebea9abe037359345c11659afc
-
C:\Users\Admin\Downloads\yQEY.exeFilesize
200KB
MD582fa0a61fd91910184b708b845b10818
SHA115fcfd077f7697a4a8aee8804e02ae4d11cb6486
SHA25687208b1cf7a74e6754f1a0f9a73f563b8f1313f975aebe2ab4e2e974c4387150
SHA512902151b1148fe586be00464787bcb220c24e3236a712eda326c081757d5906869bc4e6f1a9da7616142047dc2dcff9fb5c9ad6604913745561e3c7271b3fd410
-
C:\Users\Admin\Downloads\ycYW.exeFilesize
197KB
MD59873b1d217a8f02f9e62c4424a78abc5
SHA1c1d960f52c694b46b447202ab3c8ccae7efe19e1
SHA25606bff95cdb003b377389311ac061b14d232f6af1995b09197a14a00bdfee8fcb
SHA512c5e812fbcb6fb890f6b1a6ac827aa94e67e80ea63ea3c91571be18a8d8d0557ac159e4c31b5507891673bd0f1ccd7e085be99dd7e7e28c99ecbe2c5b699a9809
-
C:\Users\Admin\Pictures\ResumeEnter.png.exeFilesize
649KB
MD55f3416430b17f23fb154b3065b80daee
SHA13e13361704e81a757bdf55f346b38d72572e757f
SHA256b68b7c1fec2f34881078706d6b18838343302dbb8308b855932ceeae7b77f9c1
SHA512bb8e829fdc25323dcb2c1d87013e55d7258a7aa0cac7927891ad700711b5502c5ec1f3f9633447da4b05d31994266e09bd9c6b5d554f7802b0ceb8f775aa5478
-
C:\Windows\Installer\MSI2968.tmpFilesize
180KB
MD5d552dd4108b5665d306b4a8bd6083dde
SHA1dae55ccba7adb6690b27fa9623eeeed7a57f8da1
SHA256a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5
SHA512e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969
-
C:\Windows\Installer\MSI29B7.tmpFilesize
88KB
MD54083cb0f45a747d8e8ab0d3e060616f2
SHA1dcec8efa7a15fa432af2ea0445c4b346fef2a4d6
SHA256252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a
SHA51226f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133
-
\??\pipe\LOCAL\crashpad_2252_MVYTXEQSZOTQDKPUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/212-2302-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/212-2356-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/268-1887-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/412-2032-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/412-1037-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/456-368-0x0000000004C10000-0x0000000004C27000-memory.dmpFilesize
92KB
-
memory/456-367-0x0000000004C10000-0x0000000004C27000-memory.dmpFilesize
92KB
-
memory/456-304-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/456-299-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/456-369-0x0000000004C10000-0x0000000004C27000-memory.dmpFilesize
92KB
-
memory/456-366-0x0000000004C10000-0x0000000004C27000-memory.dmpFilesize
92KB
-
memory/632-1898-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/632-1922-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/644-1756-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/644-1767-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/716-1871-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/716-2301-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/716-2285-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/720-1831-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/764-1664-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/816-1730-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/816-1750-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/888-1802-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/888-1813-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1028-346-0x0000000002D00000-0x0000000002D34000-memory.dmpFilesize
208KB
-
memory/1028-343-0x00000000015B0000-0x00000000015E0000-memory.dmpFilesize
192KB
-
memory/1028-342-0x00000000011B0000-0x00000000012B0000-memory.dmpFilesize
1024KB
-
memory/1028-302-0x00000000005A0000-0x000000000065E000-memory.dmpFilesize
760KB
-
memory/1028-313-0x0000000000170000-0x0000000000200000-memory.dmpFilesize
576KB
-
memory/1028-336-0x0000000000ED0000-0x0000000000FFA000-memory.dmpFilesize
1.2MB
-
memory/1028-303-0x0000000000660000-0x0000000000929000-memory.dmpFilesize
2.8MB
-
memory/1028-330-0x0000000000450000-0x0000000000472000-memory.dmpFilesize
136KB
-
memory/1028-349-0x00000000030C0000-0x0000000003143000-memory.dmpFilesize
524KB
-
memory/1028-315-0x0000000000A00000-0x0000000000BA1000-memory.dmpFilesize
1.6MB
-
memory/1028-344-0x0000000002C10000-0x0000000002C41000-memory.dmpFilesize
196KB
-
memory/1028-333-0x0000000000E30000-0x0000000000ECB000-memory.dmpFilesize
620KB
-
memory/1028-340-0x0000000001110000-0x00000000011AD000-memory.dmpFilesize
628KB
-
memory/1028-338-0x0000000001000000-0x000000000110B000-memory.dmpFilesize
1.0MB
-
memory/1028-323-0x0000000000BB0000-0x0000000000C5C000-memory.dmpFilesize
688KB
-
memory/1028-348-0x00000000030B0000-0x00000000030BC000-memory.dmpFilesize
48KB
-
memory/1028-345-0x0000000002B90000-0x0000000002BA8000-memory.dmpFilesize
96KB
-
memory/1028-347-0x0000000002D40000-0x0000000002D67000-memory.dmpFilesize
156KB
-
memory/1028-332-0x0000000000D90000-0x0000000000E2E000-memory.dmpFilesize
632KB
-
memory/1028-331-0x0000000000D60000-0x0000000000D8B000-memory.dmpFilesize
172KB
-
memory/1104-1796-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1104-1789-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1108-1001-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1108-999-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1232-2214-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1232-2232-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1436-1879-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1436-1872-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1640-2167-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1640-2185-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-1768-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-1776-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1684-1965-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1684-1986-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1684-1861-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1792-1719-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1792-1729-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1828-2145-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1848-2419-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2016-2400-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2020-352-0x000001611FCE0000-0x000001611FCF7000-memory.dmpFilesize
92KB
-
memory/2020-320-0x000001611FCE0000-0x000001611FCF7000-memory.dmpFilesize
92KB
-
memory/2024-2146-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2024-2158-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2116-1839-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2192-2392-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2192-2379-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2232-1996-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2232-2244-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2232-2004-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2232-2251-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2292-2242-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2388-1710-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2468-1963-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2488-1823-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2520-2204-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2520-2194-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2540-322-0x0000027D168C0000-0x0000027D168D7000-memory.dmpFilesize
92KB
-
memory/2540-305-0x0000027D168C0000-0x0000027D168D7000-memory.dmpFilesize
92KB
-
memory/2576-329-0x0000018F653B0000-0x0000018F653C7000-memory.dmpFilesize
92KB
-
memory/2576-306-0x0000018F653B0000-0x0000018F653C7000-memory.dmpFilesize
92KB
-
memory/2596-2288-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2604-1668-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2604-1653-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2664-2369-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2772-307-0x0000023B512A0000-0x0000023B512B7000-memory.dmpFilesize
92KB
-
memory/2772-353-0x0000023B512A0000-0x0000023B512B7000-memory.dmpFilesize
92KB
-
memory/3236-2409-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3236-1853-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3236-1841-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3448-308-0x0000000002660000-0x0000000002677000-memory.dmpFilesize
92KB
-
memory/3448-324-0x0000000002660000-0x0000000002677000-memory.dmpFilesize
92KB
-
memory/3448-325-0x0000000002660000-0x0000000002677000-memory.dmpFilesize
92KB
-
memory/3448-326-0x0000000002660000-0x0000000002677000-memory.dmpFilesize
92KB
-
memory/3448-328-0x0000000002660000-0x0000000002677000-memory.dmpFilesize
92KB
-
memory/3448-327-0x0000000002660000-0x0000000002677000-memory.dmpFilesize
92KB
-
memory/3512-341-0x00000284CA170000-0x00000284CA187000-memory.dmpFilesize
92KB
-
memory/3512-318-0x00000284CA170000-0x00000284CA187000-memory.dmpFilesize
92KB
-
memory/3548-1987-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3548-1995-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3584-350-0x000002B018890000-0x000002B0188A7000-memory.dmpFilesize
92KB
-
memory/3584-309-0x000002B018890000-0x000002B0188A7000-memory.dmpFilesize
92KB
-
memory/3608-2278-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3640-2378-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3640-2366-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3660-2090-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3668-351-0x0000026373F10000-0x0000026373F27000-memory.dmpFilesize
92KB
-
memory/3668-316-0x0000026373F10000-0x0000026373F27000-memory.dmpFilesize
92KB
-
memory/3748-1895-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3768-363-0x000001B080150000-0x000001B080158000-memory.dmpFilesize
32KB
-
memory/3768-364-0x000001B080130000-0x000001B080131000-memory.dmpFilesize
4KB
-
memory/3768-334-0x000001B080190000-0x000001B0801A7000-memory.dmpFilesize
92KB
-
memory/3768-310-0x000001B080190000-0x000001B0801A7000-memory.dmpFilesize
92KB
-
memory/3832-2261-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3832-2252-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3844-2181-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3844-2193-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3856-335-0x000001AC76DC0000-0x000001AC76DD7000-memory.dmpFilesize
92KB
-
memory/3856-311-0x000001AC76DC0000-0x000001AC76DD7000-memory.dmpFilesize
92KB
-
memory/3924-312-0x000001D71E590000-0x000001D71E5A7000-memory.dmpFilesize
92KB
-
memory/3924-337-0x000001D71E590000-0x000001D71E5A7000-memory.dmpFilesize
92KB
-
memory/4012-314-0x000002369BCF0000-0x000002369BD07000-memory.dmpFilesize
92KB
-
memory/4232-1659-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4320-2034-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4320-2049-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4412-339-0x000001642F7A0000-0x000001642F7B7000-memory.dmpFilesize
92KB
-
memory/4412-317-0x000001642F7A0000-0x000001642F7B7000-memory.dmpFilesize
92KB
-
memory/4456-2161-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4456-2171-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4472-2213-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4472-2205-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4472-1947-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4472-1955-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4504-289-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4504-291-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4504-297-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4612-1718-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4612-1706-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4712-2005-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4712-2015-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4816-2024-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4816-2016-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4828-354-0x00000149FF7C0000-0x00000149FF7D7000-memory.dmpFilesize
92KB
-
memory/4828-319-0x00000149FF7C0000-0x00000149FF7D7000-memory.dmpFilesize
92KB
-
memory/4860-1923-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4860-1935-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4916-1946-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4916-1936-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4924-321-0x000001D787E10000-0x000001D787E27000-memory.dmpFilesize
92KB
-
memory/4972-2091-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4972-2114-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/5040-2410-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/5040-1805-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/5100-1004-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/5108-2270-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB