dharma | ab96139ff3813562b4ebe5b6dadd0b3028030ae33b08f638fe1d3b62f2bd2436

Analysis

max time kernel
279s
max time network
280s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01-06-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240531-0139-17.1284116 (2).mp4
Size

34.4MB
MD5

c60edc98590584c5b5bd2579f3e0c72f
SHA1

229b8e015657ec12fb47a23e27a77af4aef3b3da
SHA256

ab96139ff3813562b4ebe5b6dadd0b3028030ae33b08f638fe1d3b62f2bd2436
SHA512

bf5fe0832aa0e209d9bd62d84b0f1e4e228248c34060f48e326e125e1b7558ce54435a941891151c6fc90dc8e697e00b6de764e2586e89c855c45e8472348dd8
SSDEEP

786432:24JgE5F9ZhkO0sazINIJMK76aXHee59vUu9SHHPuvr:24g69XkOx8INFfQHee799SHHPuz

Score

10^/10

dharma defense_evasion evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (555) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Drops startup file 9 IoCs

Processes:

explorer.exeCoronaVirus (1).exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a73c55c.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a73c55c.exe	CoronaVirus (1).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a73c55c.exe.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a73c55c.exe.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus (1).exe	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus (1).exe

Executes dropped EXE 64 IoCs

Processes:

CryptoWall.exeCoronaVirus (1).exeCoronaVirus (1).exemsedge.exemsedge.exemsedge.exeViraLock.exenswkAQwM.exekAMogMwo.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exeViraLock.exe

pid	process
4892	CryptoWall.exe
2432	CoronaVirus (1).exe
21496	CoronaVirus (1).exe
21196	msedge.exe
4984	msedge.exe
10560	msedge.exe
11520	ViraLock.exe
14740	nswkAQwM.exe
15812	kAMogMwo.exe
5172	ViraLock.exe
8444	ViraLock.exe
21636	ViraLock.exe
22124	ViraLock.exe
22436	ViraLock.exe
22976	ViraLock.exe
24108	ViraLock.exe
28412	ViraLock.exe
24804	ViraLock.exe
29960	ViraLock.exe
8836	ViraLock.exe
9776	ViraLock.exe
11620	ViraLock.exe
13792	ViraLock.exe
16360	ViraLock.exe
18412	ViraLock.exe
15200	ViraLock.exe
14904	ViraLock.exe
13376	ViraLock.exe
19660	ViraLock.exe
24572	ViraLock.exe
20080	ViraLock.exe
20236	ViraLock.exe
18528	ViraLock.exe
5608	ViraLock.exe
13932	ViraLock.exe
11140	ViraLock.exe
9640	ViraLock.exe
32104	ViraLock.exe
8352	ViraLock.exe
14492	ViraLock.exe
15900	ViraLock.exe
16808	ViraLock.exe
21028	ViraLock.exe
11024	ViraLock.exe
6108	ViraLock.exe
10264	ViraLock.exe
6132	ViraLock.exe
31048	ViraLock.exe
33008	ViraLock.exe
22108	ViraLock.exe
22712	ViraLock.exe
23268	ViraLock.exe
23932	ViraLock.exe
25712	ViraLock.exe
31776	ViraLock.exe
26744	ViraLock.exe
28188	ViraLock.exe
28924	ViraLock.exe
29536	ViraLock.exe
18048	ViraLock.exe
28708	ViraLock.exe
29168	ViraLock.exe
31300	ViraLock.exe
31712	ViraLock.exe

Loads dropped DLL 5 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid process

21196 msedge.exe
4984 msedge.exe
10560 msedge.exe
31608 msedge.exe
32012 msedge.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
21196	msedge.exe
4984	msedge.exe
10560	msedge.exe
31608	msedge.exe
32012	msedge.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeCoronaVirus (1).exeViraLock.exenswkAQwM.exekAMogMwo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*a73c55 = "C:\\6a73c55c\\6a73c55c.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a73c55c = "C:\\Users\\Admin\\AppData\\Roaming\\6a73c55c.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*a73c55c = "C:\\Users\\Admin\\AppData\\Roaming\\6a73c55c.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus (1).exe = "C:\\Windows\\System32\\CoronaVirus (1).exe"	CoronaVirus (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kAMogMwo.exe = "C:\\ProgramData\\EekwMEEw\\kAMogMwo.exe"	ViraLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\nswkAQwM.exe = "C:\\Users\\Admin\\amwcQgsw\\nswkAQwM.exe"	nswkAQwM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a73c55 = "C:\\6a73c55c\\6a73c55c.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\nswkAQwM.exe = "C:\\Users\\Admin\\amwcQgsw\\nswkAQwM.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kAMogMwo.exe = "C:\\ProgramData\\EekwMEEw\\kAMogMwo.exe"	kAMogMwo.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus (1).exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2457560273-69882387-977367775-1000\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus (1).exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2457560273-69882387-977367775-1000\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus (1).exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

30 raw.githubusercontent.com
52 raw.githubusercontent.com
53 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

57 ip-addr.es
59 ip-addr.es
90 ip-addr.es

flow	ioc
30	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com

flow	ioc
57	ip-addr.es
59	ip-addr.es
90	ip-addr.es

Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus (1).exe

description	ioc	process
File created	C:\Windows\System32\CoronaVirus (1).exe	CoronaVirus (1).exe
File created	C:\Windows\System32\Info.hta	CoronaVirus (1).exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus (1).exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libgl_plugin.dll	CoronaVirus (1).exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\psuser_64.dll.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchLargeTile.scale-200.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small2x.png.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms	CoronaVirus (1).exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libinteger_mixer_plugin.dll.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-256_altform-unplated_contrast-black.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\files_icons2x.png	CoronaVirus (1).exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-400.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\SalesReport.xltx.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\ui-strings.js.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\identity_proxy\resources.pri.DATA.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\es-419.pak.DATA.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WordCombinedFloatieModel.bin.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\xmlrwbin.dll	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MetaProvider.PowerShell.dll.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{E4EDB131-DB9B-4B5F-AD5C-A10C46B93DF5}\chrome_installer.exe.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll	CoronaVirus (1).exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_contrast-white.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-unplated_contrast-white.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.scale-125_contrast-white.png	CoronaVirus (1).exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosBadgeLogo.contrast-black_scale-125.png	CoronaVirus (1).exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsSplashScreen.scale-200_contrast-white.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\ui-strings.js	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_de.dll	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png	CoronaVirus (1).exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-40_altform-lightunplated_contrast-white.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Coachmark.js	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\ui-strings.js.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms	CoronaVirus (1).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleStoreLogo.scale-100.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsAppList.scale-125_contrast-white.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\types\IAnimationStyles.js	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\orcl7.xsl.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-256.png	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\ui-strings.js.id-CC7F4344.[[email protected]].ncov	CoronaVirus (1).exe
File opened for modification	C:\Program Files\Java\jre-1.8\COPYRIGHT	CoronaVirus (1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\ui-strings.js	CoronaVirus (1).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll	CoronaVirus (1).exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-400.png	CoronaVirus (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

24336 vssadmin.exe
20144 vssadmin.exe

pid	process
24336	vssadmin.exe
20144	vssadmin.exe

Modifies registry class 5 IoCs

Processes:

msedge.exeBackgroundTransferHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2457560273-69882387-977367775-1000\{073D9968-CB7A-4E06-80F0-CE0B92F2646B}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
21964	reg.exe
860	reg.exe
15476	reg.exe
24316	reg.exe
20232	reg.exe
27500	reg.exe
20524	reg.exe
7304	reg.exe
20384	reg.exe
6196	reg.exe
10152	reg.exe
28552	reg.exe
22500	reg.exe
5840	reg.exe
24268	reg.exe
24528	reg.exe
8280	reg.exe
27228	reg.exe
11880	reg.exe
29600	reg.exe
31692	reg.exe
22508	reg.exe
11628	reg.exe
17044	reg.exe
33288	reg.exe
23804	reg.exe
19732	reg.exe
18952	reg.exe
14548	reg.exe
25928	reg.exe
22748	reg.exe
14556	reg.exe
5252	reg.exe
20740	reg.exe
25136	reg.exe
8084	reg.exe
7180	reg.exe
7744	reg.exe
21832	reg.exe
24292	reg.exe
23336	reg.exe
25672	reg.exe
26736	reg.exe
16120	reg.exe
17412	reg.exe
17536	reg.exe
31684	reg.exe
24604	reg.exe
19748	reg.exe
6460	reg.exe
23064	reg.exe
30276	reg.exe
8800	reg.exe
32328	reg.exe
6216	reg.exe
21336	reg.exe
15400	reg.exe
10080	reg.exe
14504	reg.exe
33020	reg.exe
25944	reg.exe
25752	reg.exe
32376	reg.exe
32916	reg.exe

NTFS ADS 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 720941.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 319899.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ViraLock.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 373084.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 828621.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoWall (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 893664.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 790646.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeCoronaVirus (1).exe

pid	process
4076	msedge.exe
4076	msedge.exe
2424	msedge.exe
2424	msedge.exe
2116	identity_helper.exe
2116	identity_helper.exe
1540	msedge.exe
1540	msedge.exe
440	msedge.exe
440	msedge.exe
1588	msedge.exe
1588	msedge.exe
3680	msedge.exe
3680	msedge.exe
4712	msedge.exe
4712	msedge.exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe
2432	CoronaVirus (1).exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nswkAQwM.exe

pid process

14740 nswkAQwM.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CryptoWall.exeexplorer.exe

pid process

4892 CryptoWall.exe
4988 explorer.exe

pid	process
14740	nswkAQwM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

CoronaVirus (1).exe

pid process

2432 CoronaVirus (1).exe

pid	process
2432	CoronaVirus (1).exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

unregmp2.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4040	unregmp2.exe
Token: SeCreatePagefilePrivilege	4040	unregmp2.exe
Token: SeBackupPrivilege	14868	vssvc.exe
Token: SeRestorePrivilege	14868	vssvc.exe
Token: SeAuditPrivilege	14868	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wmplayer.exeunregmp2.exemsedge.exe

description	pid	process	target process
PID 1412 wrote to memory of 708	1412	wmplayer.exe	setup_wm.exe
PID 1412 wrote to memory of 708	1412	wmplayer.exe	setup_wm.exe
PID 1412 wrote to memory of 708	1412	wmplayer.exe	setup_wm.exe
PID 1412 wrote to memory of 1492	1412	wmplayer.exe	unregmp2.exe
PID 1412 wrote to memory of 1492	1412	wmplayer.exe	unregmp2.exe
PID 1412 wrote to memory of 1492	1412	wmplayer.exe	unregmp2.exe
PID 1492 wrote to memory of 4040	1492	unregmp2.exe	unregmp2.exe
PID 1492 wrote to memory of 4040	1492	unregmp2.exe	unregmp2.exe
PID 4076 wrote to memory of 2100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2980	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2424	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2424	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2352	4076	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\20240531-0139-17.1284116 (2).mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\20240531-0139-17.1284116 (2).mp4"
2⤵
PID:708

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad6743cb8,0x7ffad6743cc8,0x7ffad6743cd8
2⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1792 /prefetch:2
2⤵
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
2⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
2⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
2⤵
PID:2864

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
2⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
2⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
2⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
2⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:1
2⤵
PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
2⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
2⤵
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6100 /prefetch:8
2⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5656 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
2⤵
PID:2548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
2⤵
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
2⤵
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
2⤵
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3368 /prefetch:8
2⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:8
2⤵
PID:236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6616 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:4892

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
PID:4988

C:\Windows\SysWOW64\svchost.exe
-k netsvcs
4⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
2⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4324 /prefetch:8
2⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5832 /prefetch:8
2⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4712

C:\Users\Admin\Downloads\CoronaVirus (1).exe
"C:\Users\Admin\Downloads\CoronaVirus (1).exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2432

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1436

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:19724

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:24336

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:21048

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:16768

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:20144

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:17376

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:6176

C:\Users\Admin\Downloads\CoronaVirus (1).exe
"C:\Users\Admin\Downloads\CoronaVirus (1).exe"
2⤵
- Executes dropped EXE
PID:21496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5968 /prefetch:2
2⤵
PID:33188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:21196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5892 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2564 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
PID:10560

C:\Users\Admin\Downloads\ViraLock.exe
"C:\Users\Admin\Downloads\ViraLock.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:11520

C:\Users\Admin\amwcQgsw\nswkAQwM.exe
"C:\Users\Admin\amwcQgsw\nswkAQwM.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:14740

C:\ProgramData\EekwMEEw\kAMogMwo.exe
"C:\ProgramData\EekwMEEw\kAMogMwo.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:15812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
3⤵
PID:3152

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
4⤵
- Executes dropped EXE
PID:5172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
5⤵
PID:7904

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
6⤵
- Executes dropped EXE
PID:8444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
7⤵
PID:15588

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
8⤵
- Executes dropped EXE
PID:21636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
9⤵
PID:21736

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
10⤵
- Executes dropped EXE
PID:22124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
11⤵
PID:22336

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
12⤵
- Executes dropped EXE
PID:22436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
13⤵
PID:22916

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
14⤵
- Executes dropped EXE
PID:22976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
15⤵
PID:23628

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
16⤵
- Executes dropped EXE
PID:24108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
17⤵
PID:24312

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
18⤵
- Executes dropped EXE
PID:28412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
19⤵
PID:8104

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
20⤵
- Executes dropped EXE
PID:24804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
21⤵
PID:29196

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
22⤵
- Executes dropped EXE
PID:29960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
23⤵
PID:31988

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
24⤵
- Executes dropped EXE
PID:8836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
25⤵
PID:9684

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
26⤵
- Executes dropped EXE
PID:9776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
27⤵
PID:10476

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
28⤵
- Executes dropped EXE
PID:11620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
29⤵
PID:7764

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
30⤵
- Executes dropped EXE
PID:13792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
31⤵
PID:15112

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
32⤵
- Executes dropped EXE
PID:16360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
33⤵
PID:16948

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
34⤵
- Executes dropped EXE
PID:18412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
35⤵
PID:19792

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
36⤵
- Executes dropped EXE
PID:15200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
37⤵
PID:12180

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
38⤵
- Executes dropped EXE
PID:14904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
39⤵
PID:13168

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
40⤵
- Executes dropped EXE
PID:13376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
41⤵
PID:19584

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
42⤵
- Executes dropped EXE
PID:19660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
43⤵
PID:24208

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
44⤵
- Executes dropped EXE
PID:24572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
45⤵
PID:25268

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
46⤵
- Executes dropped EXE
PID:20080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
47⤵
PID:18616

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
48⤵
- Executes dropped EXE
PID:20236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
49⤵
PID:26248

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
50⤵
- Executes dropped EXE
PID:18528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
51⤵
PID:16132

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
52⤵
- Executes dropped EXE
PID:5608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
53⤵
PID:14920

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
54⤵
- Executes dropped EXE
PID:13932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
55⤵
PID:11268

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
56⤵
- Executes dropped EXE
PID:11140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
57⤵
PID:10180

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
58⤵
- Executes dropped EXE
PID:9640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
59⤵
PID:9376

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
60⤵
- Executes dropped EXE
PID:32104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
61⤵
PID:8740

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
62⤵
- Executes dropped EXE
PID:8352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
63⤵
PID:27372

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
64⤵
- Executes dropped EXE
PID:14492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
65⤵
PID:15932

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
66⤵
- Executes dropped EXE
PID:15900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
67⤵
PID:16992

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
68⤵
- Executes dropped EXE
PID:16808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
69⤵
PID:18840

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
70⤵
- Executes dropped EXE
PID:21028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
71⤵
PID:21380

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
72⤵
- Executes dropped EXE
PID:11024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
73⤵
PID:4376

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
74⤵
- Executes dropped EXE
PID:6108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
75⤵
PID:8808

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
76⤵
- Executes dropped EXE
PID:10264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
77⤵
PID:6492

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
78⤵
- Executes dropped EXE
PID:6132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
79⤵
PID:21980

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
80⤵
- Executes dropped EXE
PID:31048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
81⤵
PID:32636

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
82⤵
- Executes dropped EXE
PID:33008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
83⤵
PID:28840

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
84⤵
- Executes dropped EXE
PID:22108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
85⤵
PID:22600

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
86⤵
- Executes dropped EXE
PID:22712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
87⤵
PID:23216

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
88⤵
- Executes dropped EXE
PID:23268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
89⤵
PID:23840

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
90⤵
- Executes dropped EXE
PID:23932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
91⤵
PID:25016

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
92⤵
- Executes dropped EXE
PID:25712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
93⤵
PID:25856

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
94⤵
- Executes dropped EXE
PID:31776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
95⤵
PID:27860

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
96⤵
- Executes dropped EXE
PID:26744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
97⤵
PID:27328

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
98⤵
- Executes dropped EXE
PID:28188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
99⤵
PID:28300

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
100⤵
- Executes dropped EXE
PID:28924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
101⤵
PID:29304

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
102⤵
- Executes dropped EXE
PID:29536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
103⤵
PID:26652

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
104⤵
- Executes dropped EXE
PID:18048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
105⤵
PID:29380

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
106⤵
- Executes dropped EXE
PID:28708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
107⤵
PID:28948

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
108⤵
- Executes dropped EXE
PID:29168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
109⤵
PID:30568

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
110⤵
- Executes dropped EXE
PID:31300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
111⤵
PID:31432

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
112⤵
- Executes dropped EXE
PID:31712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
113⤵
PID:32228

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
114⤵
PID:32312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
115⤵
PID:5744

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
116⤵
PID:5672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
117⤵
PID:26580

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
118⤵
PID:33260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
119⤵
PID:5328

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
120⤵
PID:33564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
121⤵
PID:33444

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
122⤵
PID:32192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
123⤵
PID:8516

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
124⤵
PID:31144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
125⤵
PID:6136

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
126⤵
PID:32232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
127⤵
PID:25116

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
128⤵
PID:27816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
129⤵
PID:27788

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
130⤵
PID:32112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
131⤵
PID:6120

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
132⤵
PID:29604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
133⤵
PID:28276

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
134⤵
PID:23988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
135⤵
PID:28404

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
136⤵
PID:26028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
137⤵
PID:9412

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
138⤵
PID:14376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
139⤵
PID:25940

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
140⤵
PID:17384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
141⤵
PID:20160

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
142⤵
PID:21984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
143⤵
PID:19100

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
144⤵
PID:15624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
145⤵
PID:8664

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
146⤵
PID:10852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
147⤵
PID:6868

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
148⤵
PID:6980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
149⤵
PID:16700

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
150⤵
PID:17936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
151⤵
PID:17004

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
152⤵
PID:7360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
153⤵
PID:11352

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
154⤵
PID:19084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
155⤵
PID:20644

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
156⤵
PID:9084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
157⤵
PID:27552

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
158⤵
PID:19848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
159⤵
PID:14456

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
160⤵
PID:9452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
161⤵
PID:25520

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
162⤵
PID:25892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
163⤵
PID:27528

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
164⤵
PID:28728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
165⤵
PID:30132

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
166⤵
PID:30516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
167⤵
PID:29100

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
168⤵
PID:30816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
169⤵
PID:8568

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
170⤵
PID:15092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
171⤵
PID:18256

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
172⤵
PID:18376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
173⤵
PID:19480

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
174⤵
PID:19688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
175⤵
PID:20824

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
176⤵
PID:20304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
177⤵
PID:5780

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
178⤵
PID:17608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
179⤵
PID:17748

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
180⤵
PID:14952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
181⤵
PID:4444

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
182⤵
PID:17140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
183⤵
PID:3980

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
184⤵
PID:13676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
185⤵
PID:2240

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
186⤵
PID:12572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
187⤵
PID:8396

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
188⤵
PID:11224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
189⤵
PID:13088

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
190⤵
PID:5600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
191⤵
PID:7476

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
192⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
193⤵
PID:6780

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
194⤵
PID:5848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
195⤵
PID:8312

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
196⤵
PID:21556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
197⤵
PID:22012

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
198⤵
PID:21856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
199⤵
PID:22684

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
200⤵
PID:22444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
201⤵
PID:23320

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
202⤵
PID:22568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
203⤵
PID:24124

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
204⤵
PID:7424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
205⤵
PID:21144

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
206⤵
PID:24052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
207⤵
PID:26752

C:\Users\Admin\Downloads\ViraLock.exe
C:\Users\Admin\Downloads\ViraLock
208⤵
PID:24464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
209⤵
- Modifies registry key
PID:28552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
209⤵
PID:8024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
209⤵
PID:8044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
207⤵
PID:24756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
207⤵
PID:24668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
207⤵
- UAC bypass
PID:24724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcwcQMoU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
207⤵
PID:24376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
208⤵
PID:8296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
205⤵
- Modifies registry key
PID:24528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
205⤵
PID:24684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
205⤵
PID:8120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MukYEIMs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
205⤵
PID:23736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
206⤵
PID:24588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
203⤵
PID:23844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
203⤵
PID:7672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
203⤵
PID:13404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcAoIowU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
203⤵
PID:23968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
204⤵
PID:24216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
201⤵
- Modifies visibility of file extensions in Explorer
PID:22532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
201⤵
PID:23396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
201⤵
PID:23520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysIUQIUQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
201⤵
PID:23512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
202⤵
PID:22988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
199⤵
- Modifies visibility of file extensions in Explorer
PID:22580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
199⤵
PID:22456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
199⤵
- UAC bypass
PID:22644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcAEAQEI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
199⤵
PID:22892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
200⤵
PID:23196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
197⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:21964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
197⤵
PID:22096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
197⤵
PID:21976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGIsYYgQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
197⤵
PID:22252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
198⤵
PID:21744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
195⤵
- Modifies visibility of file extensions in Explorer
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
195⤵
PID:21540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
195⤵
- UAC bypass
PID:13732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYEMMgAc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
195⤵
PID:21700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
196⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
193⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:6460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
193⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
193⤵
PID:12644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RicoQQcw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
193⤵
PID:12728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
194⤵
PID:21524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
191⤵
PID:416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
191⤵
- Modifies registry key
PID:7744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
191⤵
- UAC bypass
PID:7488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgUEAYEQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
191⤵
PID:8144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
192⤵
PID:6668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
189⤵
- Modifies visibility of file extensions in Explorer
PID:26048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
189⤵
PID:24260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
189⤵
PID:19272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQEwwIkQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
189⤵
PID:26040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
190⤵
PID:10352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
187⤵
- Modifies visibility of file extensions in Explorer
PID:21316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
187⤵
PID:21260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
187⤵
PID:21292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkscMEYw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
187⤵
PID:4716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
188⤵
PID:11780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
185⤵
- Modifies registry key
PID:20524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
185⤵
- Modifies registry key
PID:20740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
185⤵
- UAC bypass
PID:19540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYMEowkk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
185⤵
PID:18948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
186⤵
PID:11032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
183⤵
- Modifies visibility of file extensions in Explorer
PID:16496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
183⤵
PID:16080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
183⤵
- UAC bypass
- Modifies registry key
PID:16120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SakMckEk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
183⤵
PID:16168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
184⤵
PID:17880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
181⤵
- Modifies visibility of file extensions in Explorer
PID:13760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
181⤵
PID:13672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
181⤵
- UAC bypass
PID:20380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsQQEwII.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
181⤵
PID:13736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
182⤵
PID:18108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
179⤵
PID:11684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
179⤵
PID:14812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
179⤵
- UAC bypass
PID:14192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKAAswIw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
179⤵
PID:4992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
180⤵
PID:15312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
177⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:21336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
177⤵
PID:21288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
177⤵
- UAC bypass
PID:7880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZScIockk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
177⤵
PID:1060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
178⤵
PID:11760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
175⤵
PID:21204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
175⤵
PID:21368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
175⤵
- UAC bypass
PID:17788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCYUEksY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
175⤵
PID:4632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
176⤵
PID:21248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
173⤵
- Modifies visibility of file extensions in Explorer
PID:19720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
173⤵
- Modifies registry key
PID:19748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
173⤵
PID:19800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKQQUcso.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
173⤵
PID:19832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
174⤵
PID:20352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
171⤵
- Modifies visibility of file extensions in Explorer
PID:18392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
171⤵
PID:13060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
171⤵
- UAC bypass
PID:18580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqwMEwoQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
171⤵
PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
172⤵
PID:19072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
169⤵
- Modifies visibility of file extensions in Explorer
PID:10304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
169⤵
PID:16596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
169⤵
- UAC bypass
PID:16108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOoYsgYc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
169⤵
PID:15052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
170⤵
PID:18860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
167⤵
PID:12352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
167⤵
PID:18824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
167⤵
- UAC bypass
PID:32176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIMQEgEc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
167⤵
PID:29328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
168⤵
PID:20948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
165⤵
- Modifies visibility of file extensions in Explorer
PID:30924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
165⤵
PID:31128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
165⤵
- UAC bypass
PID:31192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSIEAMAo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
165⤵
PID:31304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
166⤵
PID:32804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
163⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:24604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
163⤵
PID:8004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
163⤵
- UAC bypass
- Modifies registry key
PID:24268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcQEUgUQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
163⤵
PID:11876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
164⤵
PID:29736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
161⤵
- Modifies visibility of file extensions in Explorer
PID:26648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
161⤵
- Modifies registry key
PID:26736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
161⤵
- UAC bypass
PID:28332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqsIQEMs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
161⤵
PID:24904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
162⤵
PID:26884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
159⤵
- Modifies visibility of file extensions in Explorer
PID:15840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
159⤵
PID:9808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
159⤵
- UAC bypass
PID:9440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuwwEMEE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
159⤵
PID:17508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
160⤵
PID:24820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
157⤵
- Modifies visibility of file extensions in Explorer
PID:26384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
157⤵
- Modifies registry key
PID:25928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
157⤵
- UAC bypass
PID:25184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiAIossU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
157⤵
PID:26084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
158⤵
PID:16024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
155⤵
- Modifies registry key
PID:5840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
155⤵
PID:6256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
155⤵
PID:9576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooMEQwIE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
155⤵
PID:5864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
156⤵
PID:27256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
153⤵
- Modifies visibility of file extensions in Explorer
PID:12312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
153⤵
PID:5892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
153⤵
- UAC bypass
PID:5924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWosgUgg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
153⤵
PID:6156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
154⤵
PID:9496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
151⤵
- Modifies visibility of file extensions in Explorer
PID:13180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
151⤵
PID:7220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
151⤵
- UAC bypass
PID:13148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwowwwYI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
151⤵
PID:7136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
152⤵
PID:6456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
149⤵
- Modifies visibility of file extensions in Explorer
PID:30772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
149⤵
PID:31900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
149⤵
- UAC bypass
PID:33232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgsAIIEY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
149⤵
PID:29192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
150⤵
PID:17344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
147⤵
- Modifies visibility of file extensions in Explorer
PID:7040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
147⤵
PID:7044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
147⤵
- UAC bypass
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIcokgIw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
147⤵
PID:7100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
148⤵
PID:17420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
145⤵
- Modifies visibility of file extensions in Explorer
PID:11392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
145⤵
PID:5560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
145⤵
- UAC bypass
PID:5460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoEYgYYw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
145⤵
PID:10956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
146⤵
PID:6732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
143⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:11880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
143⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
143⤵
PID:5132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maMIYUEc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
143⤵
PID:5268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
144⤵
PID:21608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
141⤵
PID:5148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
141⤵
PID:6552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
141⤵
- UAC bypass
PID:8136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMUcwYMQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
141⤵
PID:9524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
142⤵
PID:8388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
139⤵
- Modifies visibility of file extensions in Explorer
PID:26972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
139⤵
PID:26260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
139⤵
- UAC bypass
PID:27560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwAgEAwk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
139⤵
PID:27480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
140⤵
PID:21384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
137⤵
- Modifies visibility of file extensions in Explorer
PID:14444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
137⤵
PID:14436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
137⤵
- Modifies registry key
PID:14556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwYsEAUk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
137⤵
PID:15732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
138⤵
PID:5940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
135⤵
- Modifies registry key
PID:25752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
135⤵
- Modifies registry key
PID:25672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
135⤵
- UAC bypass
PID:25640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOgQcQUY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
135⤵
PID:25536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
136⤵
PID:13644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
133⤵
PID:24212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
133⤵
PID:24496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
133⤵
PID:24676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KakcssYE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
133⤵
PID:26772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
134⤵
PID:25644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
131⤵
PID:32820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
131⤵
- Modifies registry key
PID:5252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
131⤵
PID:12720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAAwAQwA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
131⤵
PID:33172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
132⤵
PID:28752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
129⤵
- Modifies visibility of file extensions in Explorer
PID:13368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
129⤵
PID:13568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
129⤵
PID:13852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiUggcYs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
129⤵
PID:14088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
130⤵
PID:30892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
127⤵
- Modifies visibility of file extensions in Explorer
PID:18056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
127⤵
PID:15264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
127⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAcgoQog.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
127⤵
PID:2208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
128⤵
PID:28296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
125⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:31692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
125⤵
PID:31500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
125⤵
PID:21500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQAAMcIY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
125⤵
PID:31348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
126⤵
PID:31420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
123⤵
- Modifies visibility of file extensions in Explorer
PID:33116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
123⤵
PID:33636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
123⤵
- UAC bypass
PID:33652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMUcIwkQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
123⤵
PID:6768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
124⤵
PID:31788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
121⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:33288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
121⤵
PID:33672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
121⤵
- UAC bypass
- Modifies registry key
PID:7180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuUwwUgk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
121⤵
PID:6708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
122⤵
PID:32236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
119⤵
PID:7112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
119⤵
PID:7900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
119⤵
- UAC bypass
- Modifies registry key
PID:10152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqcAowIU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
119⤵
PID:6804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
120⤵
PID:33420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
117⤵
- Modifies visibility of file extensions in Explorer
PID:33304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
117⤵
PID:33264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
117⤵
- UAC bypass
PID:26568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUMUskUM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
117⤵
PID:33312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
118⤵
PID:33776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
115⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:6196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
115⤵
PID:6244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
115⤵
- UAC bypass
- Modifies registry key
PID:6216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuckgYsM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
115⤵
PID:6044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
116⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
113⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:32328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
113⤵
- Modifies registry key
PID:32376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
113⤵
- UAC bypass
PID:32380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doMcokMQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
113⤵
PID:32404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
114⤵
PID:12240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
111⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:31684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
111⤵
PID:31728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
111⤵
- UAC bypass
PID:31756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOUcMIQc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
111⤵
PID:31800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
112⤵
PID:32148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
109⤵
- Modifies visibility of file extensions in Explorer
PID:30680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
109⤵
PID:30752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
109⤵
- UAC bypass
PID:30796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAAsskYU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
109⤵
PID:30860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
110⤵
PID:31176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
107⤵
PID:27352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
107⤵
PID:27300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
107⤵
- UAC bypass
- Modifies registry key
PID:27228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWgQkwoM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
107⤵
PID:4304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
108⤵
PID:30528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
105⤵
- Modifies visibility of file extensions in Explorer
PID:29552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
105⤵
PID:29572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
105⤵
- UAC bypass
PID:29624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMgQwIko.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
105⤵
PID:29688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
106⤵
PID:28748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
103⤵
- Modifies visibility of file extensions in Explorer
PID:26448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
103⤵
PID:26416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
103⤵
- UAC bypass
PID:26400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaocgcIA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
103⤵
PID:26160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
104⤵
PID:29172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
101⤵
PID:29508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
101⤵
PID:29560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
101⤵
- UAC bypass
- Modifies registry key
PID:29600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmQsgkkc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
101⤵
PID:29712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
102⤵
PID:30304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
99⤵
- Modifies visibility of file extensions in Explorer
PID:28368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
99⤵
PID:28384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
99⤵
- UAC bypass
PID:28432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQIwoMUU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
99⤵
PID:28448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
100⤵
PID:28964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
97⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:27500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
97⤵
PID:27540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
97⤵
- UAC bypass
PID:27564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqIoIAEI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
97⤵
PID:27624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
98⤵
PID:28204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
95⤵
PID:26308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
95⤵
PID:26380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
95⤵
- UAC bypass
PID:26412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMcswcsU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
95⤵
PID:26484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
96⤵
PID:27188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
93⤵
PID:25920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
93⤵
- Modifies registry key
PID:25944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
93⤵
- UAC bypass
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqEMIksE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
93⤵
PID:15472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
94⤵
PID:31216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
91⤵
- Modifies visibility of file extensions in Explorer
PID:25092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
91⤵
PID:25124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
91⤵
- UAC bypass
PID:25100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOQoMgIY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
91⤵
PID:25408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
92⤵
PID:25728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
89⤵
- Modifies visibility of file extensions in Explorer
PID:23948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
89⤵
PID:23972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
89⤵
PID:23984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwwgoscY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
89⤵
PID:24032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
90⤵
PID:24948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
87⤵
PID:23324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
87⤵
- Modifies registry key
PID:23336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
87⤵
PID:23352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqMwkocg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
87⤵
PID:23428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
88⤵
PID:23660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
85⤵
PID:22708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
85⤵
PID:22740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
85⤵
- Modifies registry key
PID:22748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWgAYwIQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
85⤵
PID:22776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
86⤵
PID:23092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
83⤵
PID:22132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
83⤵
PID:22168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
83⤵
- UAC bypass
PID:22184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEwEEwYo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
83⤵
PID:22236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
84⤵
PID:22512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
81⤵
- Modifies registry key
PID:33020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
81⤵
PID:33032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
81⤵
PID:33060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOsIQMIY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
81⤵
PID:33100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
82⤵
PID:29528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
79⤵
PID:31344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
79⤵
PID:31480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
79⤵
- UAC bypass
PID:31496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcEowUIc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
79⤵
PID:31584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
80⤵
PID:32976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
77⤵
PID:5516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
77⤵
PID:5724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
77⤵
PID:5164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeokwcYk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
77⤵
PID:21552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
78⤵
PID:21904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
75⤵
- Modifies visibility of file extensions in Explorer
PID:11952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
75⤵
PID:12028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
75⤵
- UAC bypass
PID:12380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmMEAAwk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
75⤵
PID:8804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
76⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
73⤵
- Modifies visibility of file extensions in Explorer
PID:5732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
73⤵
PID:5312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
73⤵
- UAC bypass
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIcAwIgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
73⤵
PID:7228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
74⤵
PID:8416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
71⤵
PID:21404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
71⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
71⤵
- UAC bypass
PID:10272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeckoEsA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
71⤵
PID:10424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
72⤵
PID:5192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
69⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:20232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
69⤵
PID:20224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
69⤵
- Modifies registry key
PID:20384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWoQkccs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
69⤵
PID:17856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
70⤵
PID:21228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
67⤵
- Modifies visibility of file extensions in Explorer
PID:16704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
67⤵
- Modifies registry key
PID:17044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
67⤵
PID:17096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bowoEgYI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
67⤵
PID:10312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
68⤵
PID:18372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
65⤵
- Modifies visibility of file extensions in Explorer
PID:15796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
65⤵
PID:15756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
65⤵
- UAC bypass
PID:15724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIoAQEEI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
65⤵
PID:15992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
66⤵
PID:16504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
63⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:14504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
63⤵
- Modifies registry key
PID:14548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
63⤵
- UAC bypass
PID:14632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKYIggEI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
63⤵
PID:14680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
64⤵
PID:15528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
61⤵
PID:31468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
61⤵
PID:31412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
61⤵
PID:31372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QywwEQAk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
61⤵
PID:30956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
62⤵
PID:28804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
59⤵
- Modifies visibility of file extensions in Explorer
PID:9192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
59⤵
PID:9188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
59⤵
- UAC bypass
PID:9168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWcMwMUw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
59⤵
PID:9108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
60⤵
PID:31980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
57⤵
PID:10104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
57⤵
- Modifies registry key
PID:10080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
57⤵
- UAC bypass
PID:10052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWkwEIUM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
57⤵
PID:10020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
58⤵
PID:9600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
55⤵
- Modifies visibility of file extensions in Explorer
PID:11008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
55⤵
PID:10932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
55⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEggwUQY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
55⤵
PID:14344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
56⤵
PID:10200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
53⤵
- Modifies visibility of file extensions in Explorer
PID:14628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
53⤵
PID:14560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
53⤵
PID:14140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMYQkMIU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
53⤵
PID:13524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
54⤵
PID:11524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
51⤵
PID:16676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
51⤵
PID:16592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
51⤵
- UAC bypass
PID:16576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OscAEYYo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
51⤵
PID:16396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
52⤵
PID:15280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
49⤵
- Modifies registry key
PID:18952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
49⤵
PID:18864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
49⤵
- UAC bypass
PID:18796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKwcQIcw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
49⤵
PID:18628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
50⤵
PID:17012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
47⤵
- Modifies visibility of file extensions in Explorer
PID:17340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
47⤵
PID:17576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
47⤵
- UAC bypass
PID:10464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkkUskEk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
47⤵
PID:11728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
48⤵
PID:19624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
45⤵
- Modifies visibility of file extensions in Explorer
PID:25300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
45⤵
PID:25328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
45⤵
PID:25368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqokoIgY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
45⤵
PID:13968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
46⤵
PID:12680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
43⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:24292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
43⤵
- Modifies registry key
PID:24316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
43⤵
PID:24328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGUooUIg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
43⤵
PID:24364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
44⤵
PID:25180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
41⤵
PID:19668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
41⤵
PID:19740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
41⤵
- UAC bypass
- Modifies registry key
PID:19732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUUogcAI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
41⤵
PID:19924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
42⤵
PID:24136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
39⤵
PID:13464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
39⤵
PID:13332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
39⤵
- UAC bypass
PID:13584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmYgkYUU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
39⤵
PID:13664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
40⤵
PID:14096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
37⤵
PID:10612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
37⤵
PID:11340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
37⤵
- UAC bypass
PID:11448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQcYMAwQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
37⤵
PID:10392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
38⤵
PID:20816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
35⤵
- Modifies registry key
PID:15400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
35⤵
PID:24036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
35⤵
PID:13300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umkkkoMg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
35⤵
PID:24076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
36⤵
PID:16800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
33⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:17412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
33⤵
PID:17504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
33⤵
- Modifies registry key
PID:17536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyYcUAMk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
33⤵
PID:17664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
34⤵
PID:19320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
31⤵
- Modifies visibility of file extensions in Explorer
PID:15328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
31⤵
PID:15404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
31⤵
- Modifies registry key
PID:15476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOEIosEg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
31⤵
PID:15596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
32⤵
PID:16164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
29⤵
- Modifies visibility of file extensions in Explorer
PID:11744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
29⤵
PID:11776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
29⤵
- UAC bypass
PID:11844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKkgookg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
29⤵
PID:12640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
30⤵
PID:14864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
27⤵
- Modifies visibility of file extensions in Explorer
PID:10724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
27⤵
PID:10748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
27⤵
- UAC bypass
- Modifies registry key
PID:11628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoUAsEkg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
27⤵
PID:14320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
28⤵
PID:11472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
25⤵
PID:9828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
25⤵
PID:9860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
25⤵
- UAC bypass
PID:9876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gggAocQA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
25⤵
PID:9900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
26⤵
PID:10372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
23⤵
- Modifies visibility of file extensions in Explorer
PID:32512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
23⤵
- Modifies registry key
PID:8800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
23⤵
- Modifies registry key
PID:32916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awsIwAMk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
23⤵
PID:8952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
24⤵
PID:9592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
21⤵
PID:30100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
21⤵
- Modifies registry key
PID:8280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
21⤵
- Modifies registry key
PID:30276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAMccEwM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
21⤵
PID:30488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
22⤵
PID:8736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
19⤵
- Modifies visibility of file extensions in Explorer
PID:8160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
19⤵
- Modifies registry key
PID:25136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
19⤵
- Modifies registry key
PID:8084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWskgQUY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
19⤵
PID:24740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
20⤵
PID:28860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
17⤵
PID:24408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
17⤵
PID:24420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
17⤵
PID:24452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwAYwEgo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
17⤵
PID:24540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
18⤵
PID:27164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
15⤵
- Modifies visibility of file extensions in Explorer
PID:23784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
15⤵
- Modifies registry key
PID:23804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
15⤵
- UAC bypass
PID:23844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioIMwcUI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
15⤵
PID:23908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
16⤵
PID:7844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
13⤵
- Modifies visibility of file extensions in Explorer
PID:23040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
13⤵
- Modifies registry key
PID:23064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
13⤵
PID:23052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCwksYII.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
13⤵
PID:23108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
14⤵
PID:23480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
11⤵
PID:22456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
11⤵
- Modifies registry key
PID:22500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
11⤵
- Modifies registry key
PID:22508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyMUQgww.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
11⤵
PID:22532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
12⤵
PID:22844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:21832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
PID:21844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
- UAC bypass
PID:21856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKQgEMsk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
9⤵
PID:21892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:22216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
- Modifies registry key
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKgQosQc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
7⤵
PID:532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:21548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
PID:8720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
- Modifies registry key
PID:7304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
- UAC bypass
PID:8876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TikkcEgc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
5⤵
PID:9300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:6788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies visibility of file extensions in Explorer
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwQQEYoo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
3⤵
PID:4948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:7712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
2⤵
- Loads dropped DLL
PID:31608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1796,9053651396274092149,1250168950161107088,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2200 /prefetch:8
2⤵
- Loads dropped DLL
PID:32012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:14868

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:15496

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:19068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CopyRemove.dwg.id-CC7F4344.[[email protected]].ncov
Filesize
2.3MB

MD5
5297b47c1f99b84faa0138d624ed7ba7

SHA1
01d904b359564860849f19b395e1d7f0a0eb7641

SHA256
335fa14439d6b9bb0d3211d92fa3cb956a46b4029b274673146a0305d71344f5

SHA512
75079c3cb07b1e43fab4cce3c00f4f1b4d0893f68a46e5d7e3682c4b58b8bfe44444da8f1226be4075d155d261bf8f754ec44d062ce727702530747ae6033dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4efc349f-90ce-424e-ba4f-66c736f7287b.tmp
Filesize
6KB

MD5
5d166f44fb7cc3478bd2a5e3c6b1b391

SHA1
35addcb301a02d1ea039271ddaafc3362b352552

SHA256
7979d4a8fc49d91b8c758d581e5566a830d606c3871e929c03d760ff7c938f60

SHA512
50d8c2ce43c9f0ac921def252dc87e3ae2c051cd210a8bc3af679b94ee92d4f6fcc901dbaf09428e7e4744d0849f805753641baaf8b008d3ffcb1977ee924afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d
Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
81c06815ac8f20ad68ddf6d6778ac054

SHA1
8ccd400a7c613f2cd3ed2acf4e1f7077d8f9fb2c

SHA256
14f14369af5a3af2a3b1c7d003ec71b78fac76e91364aa2a0b9c2f93c40b8d19

SHA512
d726cd3aa3e5942fe7941f4a97c55a66740fcc7da0d6f0a0153303e83fb9686a3371ad4b995c21422e497c6c56226670a8d0afd348dbec39c065c56f2d10aadd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
950B

MD5
603333cb7ce05663599103180926b291

SHA1
a7725c86dfe0fb852cc2b310bca3448ef7c795b8

SHA256
c4f3d7d4e0236ba7aba481fb8391026a9d2b28b95b7035aaccf12917f84529af

SHA512
eceb23725533242c4f83e82d4c8488dad0de45416de85df20b2c128ff913557f9eb541ff05a5312f40145431ea9a6946017d6b5138971b4ce22db091d88e1e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5ab855.TMP
Filesize
950B

MD5
8254bff615091eee572e811c1f727a16

SHA1
7c2fbd5036b687626a8c8f578c986668699e5b89

SHA256
28f54c3ff23767d499948b86ffde62afd0de78565c061cfeacb15808faaa1b16

SHA512
a77bad67aa3063bc61b5c9b222bf9b4fd660ac568752aac466fca847933f831990dce33ba9f74d8360583db2e4056f5026321f7b0067c85020c7c0d65d455329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8f77c2d412b750b8dd8d32b6f6da754e

SHA1
4dc2e4b94db1c5b411a9c663a72e2e5093ab386a

SHA256
f7b3bcb53b74a759b2c497339ab6093083c529ca105fa33cd60dcddcf1712874

SHA512
95cc250feb4f47915fd235154ad1e044b07b2e881b200bde3f35e5cac8cd9cd197f3899b6c8967705b0c67463e6519eef82e619e94838f2f0decbb43065a1e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
aeef6cb8bbf1d6620eeb16cfa373a37a

SHA1
e2545d4ffb03081d4cfbff9d077ddb1493d2c471

SHA256
4c29b4dc570bd0f44ad31e92d33365b06018e2d6a3a7644d9489890dde6111bd

SHA512
b6d5c9dd867e048ae48bc3a8f9823c1b97e7cb467acb5396eabf945cb3a8c346ef7c176b9def40d2822a9183434219a713a798b621ff10ac0ba5d78a87ee30a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0f9755e0cf2de8f4dd27dd14cab29113

SHA1
3c6070bfc924c6d8ef7490359352b0b545f57fe7

SHA256
74140990f75ae2ae30ef6e261c969594d96f9babcf5c333d39d90cac4c3d0e52

SHA512
34f8f687dcf7e8c3c0a29a203a96acdaedfa11dce0ed07738a1df28f10658db91e66e90168c6dc7fffc43bc5950402daabd64971683f6bf669be63b57949cea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
80b4eff5dd1e32e2d7985dad3aa73631

SHA1
c13c3158ce27ae3be5be0b32629b6b69870a2db8

SHA256
ff6c8a87c0f655709ccc85ac2f7949d60c48286c4c2b4e3794f1473087b99706

SHA512
8cd07489ba42b46265fb55c631495ad4dae577cc2409a2afda6b8258e7d9bfb232e7544fda32f8308bf13e3192b19075b80749ee74a5aba725e83298ef889602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
03bd860760e4778667217e2f3fef359c

SHA1
08b25b4bbb122d16e1a3fb3dfeb63f4058c39c4d

SHA256
68bb0edd6e50079ff1b76701da569c15d941b72db6a4ca058ab409fd737a0568

SHA512
91d24b2cefe9850c3608698cf5537f458155ab3b6654a86800f3cdc84b69a54a90704952ce4a283b4817f9e0a4be73866d29b3f1c81970e5d4a73013289d45ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
ee753081faffe8bc06c051179b48d036

SHA1
2d44d87e5d7a9d4418cd1a47634b85fabd770e32

SHA256
533126207fcaa4181c05c0a47663379b3cce7b6481a5c829ac441d48df3104db

SHA512
5a4299c00574538c267a9c49b8f2fa7bdb71f1f1933a35875d8d90cfb718d905cd9ff692dc46eec0969bf28d05f7ede2f2d39376b20890d581fc17ffe84ebeb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
452c836eb901a869c9260288949fa48d

SHA1
710a8c682bda7e406d3110d95edae53f37b44e25

SHA256
40aefdaf3d1679f4ecef6b4b947be017403bc9b3c1294206ba59545f9776329b

SHA512
2f63bd38acfdb8709d8092255d88826270b192cbb463bc92d74dfb6865f2ff5c133e20d115bd0e848412903800284e2bfa7f5eadd737d39fb3dd62531ac76e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9560ac857b1b5161f27f1bbdf675da68

SHA1
b8bedf69347dd41c814a455040e9887a4c23b384

SHA256
f9c8d70b63f8011331b75084345dd6b424d4139b7b7dba4fad021592b0a747dd

SHA512
2175fed0b8cfaf1ba9da2a6d0760fd86bff3b737f03c47653f31f081116481588b10d8c490ae403e0e713b1709ad6addb6309316efb3bcd81792b3ec7cd75f95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
439d79d19435fc18d10519e64fd09b4d

SHA1
b9fbf970fb488ed17379db77f93e5282ef3372c2

SHA256
b0f79ad9d9e25b2c024265d2c4812feca0bcaba4d478a3b5dd04f86512d49661

SHA512
209d64f36f7cd02640f838dd18eb23650c3cf79a7439db66d5df78eae4ae811ff86714e8de9e08b9b0391686270c4f25fa3ff3bf4418f067e3e22938acf1a30f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
7d269ed44b9c08b8ee423f6523705ea8

SHA1
798a9128e1616c54f5205bb69de21301b70c6a7d

SHA256
4a2bd085163d783ff990fde647f3a2280f2815c205e238d85ec5b4d2cdc01c92

SHA512
942eb4150998275fa33b4c0a82a8f9bfb1b37dc89ff563dcd80a57607deeb52d00d23c9c33698c25b434786c30ce3b8c54566f74656a83919de9039739589c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586359.TMP
Filesize
871B

MD5
8bb5c05554f374286be3b6cdf6219c11

SHA1
fc070b5c55ee47f1d86abb28be6d9180bea15be6

SHA256
1d203eed1692a97b7b9194c01bfcdb9ad6128c129b0109bce02e6eb0b5adb4a1

SHA512
62061fda6a293776b6e45bf781534448b42f34e5b793fdc2328d05a2f8e57d6c525923271e15199cba767919fe8577b745e5e805885d733fa249924165590d28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ab8b2.TMP
Filesize
1KB

MD5
8343a9e7f9084999447677c237181ec9

SHA1
302808b5a644abd5b032cbdb46374f706173135b

SHA256
952558b6b0531d8903b2e48c45d98040fb7e8e07901180616cec513968acce34

SHA512
4c42653cf5f67af2422c7dfbd8cc849c1c58f3fc6e81db268cb92f388cfc917e1286e3537b653878942a8872709d5474c299a08aff2e9f6c0d0ed3c54b471eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db
Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
Filesize
57B

MD5
e02ad2b85ddb14dc4c143b3299099689

SHA1
5d16705a1225cd31d7eee0c49ffd0ac72137e914

SHA256
1b4e4e0abfd0ef4f58aafaee2821828cc42ec02e9cc57ed34d39d124d7631f0c

SHA512
b9171dfd9d4db0d819975c1f92e29f36b37155fb0234be1c3df17d27b5590c8a57b2336fb17c241c1fa81f4ef581c995816f41969ed6ac2599b1110b71dcaf57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
5b5079268313a2619cc065fcdf66ead1

SHA1
4076b8bc2bc55efec5e7b576a6d672c64ad753bf

SHA256
fc122f7063db58b0a47eb26f8f6592f3b71ad4d54a761f07f4a7c75aaffb7370

SHA512
34608e2145b3eab0514f6f40a5f86ad644d2bc3f65c1f97cd16492f4810234f9b21dbb5613eeb3f6c0182394dd1dafc6cd515037aa8dd4bad6a90742c4da73de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
0405ff044938634b95aff9bbb5dc0b91

SHA1
21a8df8502968835bb89b599c41011ff090ddd66

SHA256
7a0a44e8eb380295e88e42fbbc072fe5eb6784a1fe0ce46202be28a8bc28a34f

SHA512
3f6382ad9c199a5aa776c089a0a7afdfc2c476e31ba7a094131910812ea4dc14b782e3d692fa3313d2f58adfb245bc9ce1de87912866a5c3f5b0a80a6065ae25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
6217d3420b3baca30cee81f40f45cb9c

SHA1
9e23faad9698f91622fbe71938e739dbe912bf6a

SHA256
ff07e1b63a8b3f3c1afecfd9fe58a04420afd375e6a2f8ec2fcd6e05ad76a85b

SHA512
1d23d1c4e1dceec65ec9f666ce99befd8044f1df29ff858d8c1caf66b2887256724215ffd762ebaad4dc33fc866b7506fb6bffacd73975fe56f211f9645a6c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f273c92597727437eb49940e7a3106e9

SHA1
b3cdb54fa2c2c9a7e60f5955a78d3b0ba6fcf07a

SHA256
8b6c1f0fd25e80b7bb9f20e66b324ce948508f47b2348875e032829d8a287868

SHA512
9ac1619ba6313066f22197923dcfbb4a9964e863f13f5dced867dd72ba7cde0bfdf23d2a68e8048c87ea06fc6b56890908a18dec2f8c02690cd5e2b86fa90a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
00909c918466e0ea87dfadf7b51426f2

SHA1
f0dce04a6ff995ef4e4da62b8a522b3611fdc8d2

SHA256
d7117afe1904f1482a2992ca7899b82cb4d1d8cb9d07bec272598e959247814a

SHA512
9a9eb994246a6336dcffb3c7d1308e8cd56fc1bceb0c79d5729f7aa505cd41a2950dc792b7ea07bdd8b853ab95d9340989a08a5c6e07b76567dc13b14f6b2e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
8a28e071599cd82e26b0e8eb42103464

SHA1
47f79c7158c7bbfb87c3f87e5d60c19fd2f5a761

SHA256
1f6198d0b5a53fd62baaa0c4343ae20a13e3639db4c5e91354cfb4759c921ca2

SHA512
0e31638f153f0f27b1e060ac330057128aa6130a95dcf640ba1f2eeb2cc858c5dd7c83a608ff8fc6bd82fb2b8604ae19e819f6fed4e6d36666980f0c05b3b860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
196eb2f8936b7d5eeea98c2189c00c3e

SHA1
4c3fa408f83e8df98c53ffdc8d5f83ffe70f4fd5

SHA256
843e79c24b87176f454ea13c4f85ff5a63f93c9fec97bf7911f48eaebb87d281

SHA512
83a49430c2451175b055f6f1800e77e4f2ad010731da92d575eb8f3db0b6196015ebf9de7d2ca52d87b5f3ad0923a36838c49b63616305a10c90b0d74400fc2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State~RFe5a1eb5.TMP
Filesize
12KB

MD5
e4c2ec322ac35ac4cf7a5cb26d51dd20

SHA1
789de2f6106555960db3d1e97f741cb234f945cc

SHA256
c7fc07e4b6dab1d0e6a3d6e3415136f63be1a238850e4064bc6d666a94fda5a3

SHA512
1cc154f2c7befba73e2c831c36b77090d11b82dea7eecc5c887bfd1aacb252848630377c01dd681dbd31150367d53fdc582a51c16cf2bb8f53e31dcee8201fe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
64KB

MD5
19d78b1eae63fd95e33c36ae0cad7aa8

SHA1
52bbbd1abf5e05fd11b19462a54685e7ccfc2d4b

SHA256
50c2e86388d63a5a5a2052f9866083e8784c3eed266f9b947b4f5772e5fbcf80

SHA512
34d6dd06fc41e2a3bf026cc58e461cf12064eab6969225d118b786aaacfabaac8bd7cbc6c26ad2c985faa04f0a07a4134119d4780c9189ded6db3d0fe9b59454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\1088598a-97ef-4b54-809f-c7e7d093aaed.down_data
Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dKgQosQc.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
a34ba776d9b8cb7188e3fa034a6bd2cb

SHA1
3c924d1d0b93f599689fe3091a58f659801acecc

SHA256
90815af4c80b5bf59a85199b41efd4cbf53e2fddb472eb511716cafd9413a075

SHA512
8c1f1b302d25e5ff0731c8e3fc077b03cd4519f158aa2c5acdceadc5a2637e78a5130783280d2b45cfaffe1d2f993d93e62fba9154a509339fb64597b0e0ff55

Download Submit
C:\Users\Admin\Downloads\AUkM.ico
Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\CoronaVirus (1).exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Ekku.exe
Filesize
324KB

MD5
b95a67164fdacf5ce6733b20bb2ebefe

SHA1
1c0df4536b945eb805a87458fb7fc36ae9eb3c15

SHA256
350e8f1298c7cc86b57ceb6f52a47817393353f769fc27189e99083a8a9aa744

SHA512
0b112c1d2f75e0ad505b1ebf487c63522815eb73146f41197a621def4237bc77c39d0440565c1b5c30ff6fc82e5e014b7d7a39c33a25e2c3a1f1bba33c55c78e

Download Submit
C:\Users\Admin\Downloads\GUoM.exe
Filesize
329KB

MD5
8ebb036d1fe717ad27f77c5ae57f8128

SHA1
852f13420a0aebafb238481e68941d3626441f7f

SHA256
3fc306cea53ca573a7cb51a5b8f4fbae2e30cc3965eea10bced46d7085649fbe

SHA512
42f05e3a39600b0f9c0c7d22eaa8dc668c1f235e087f142aa7fa16f532c48f402c1a192dc593055a8b4456a9a1152aac5d564bcb54909669563e8a7c6e88f922

Download Submit
C:\Users\Admin\Downloads\OwMM.exe
Filesize
226KB

MD5
743adc2426417e8c4803e44086716acf

SHA1
f9bdda8af343ac1e40f4f0b61372bac72728e4e9

SHA256
013b0c1ba4d00a1e64440050a7d28075d22ff17d844dd4823075d131c2d4e8de

SHA512
d223fcc13dc2df6f45fabc6845b3e1edb31642dcc0c0716926e8e8935fbc917234f30144e970b57186da217c4475cc34e80bddc40f1a9b497d949688e1fc541f

Download Submit
C:\Users\Admin\Downloads\SIIO.exe
Filesize
207KB

MD5
50576aa17e611fae54de8118d61a14dc

SHA1
a41e0aee17617c8101b56378fafe5054880bb58f

SHA256
4480c3cf92df64e09e3ac45e29f8920890d2006c5560db536b51c013085725f0

SHA512
b0ccaa8a363b7006a3de1a3426fea8ef9463a378d4a2604220168f03553c1f93a46b45b5ca4529a6820a81680aa2da7eef10afa9fd065caeee1ec10147964766

Download Submit
C:\Users\Admin\Downloads\SkYm.exe
Filesize
320KB

MD5
bab743bc8ce2d1632cb39040f107ee4e

SHA1
4dad6816b887955917844875287da8e328b2a37f

SHA256
2f0cf28e5d472289b127588b322958b263e7a5863e63e2fedb0c403caca325c0

SHA512
99fa82e29327bed8f16f40836b3be42a317e94c9c30b8e7e1be5f40873014a88565949396a359f68a9ba2ae1a2a22e006e3ff6054df02cdf42059cc08ee4f85d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 373084.crdownload
Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 790646.crdownload
Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 790646.crdownload:SmartScreen
Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\ViraLock
Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\Downloads\WIIm.exe
Filesize
211KB

MD5
812f92c4de4f1630b90d8c6baa5019c2

SHA1
85031e912bd921dd388ebadc3158abff200492a2

SHA256
1fe50afb85c4da4ddadc40fce15236129a5a83f34f1ec1f394da0ce8b35abfb7

SHA512
d0015c93453e8c40b7c4c9801b59607840be0b408f71180ac619519d6a3f5036babe86b625286ac3e04f589dbc81765ac23aae36b7b862c133117e540d33d3df

Download Submit
C:\Users\Admin\Downloads\YUkK.exe
Filesize
323KB

MD5
a799d8eadd11cd914ba733f4d586d7a4

SHA1
0452cf2f8aab7b7e227a4bc41941bcd90cd4e250

SHA256
9fdfb61b732531eec2f098795e2941d3015276b68e17c84ac9dc2741440a5d1d

SHA512
a735ecabef5a1060b4bbb9cf240d88bb847dedf770d63713d9c157e1d5121c2e2b219eb7b2e32ef3407487b3a42857a629876f9ac25eac6692b1ac3a7162e125

Download Submit
C:\Users\Admin\Downloads\aoQW.exe
Filesize
232KB

MD5
7e035eff37a40940271305cd0c4466a4

SHA1
06b684dd3c2956a90854e51a4ab17779a7824ae0

SHA256
4aab27887b673b71e7762b6d0e3206db024567af920ab69941c2066cc49c2339

SHA512
f4e9c4649d2754f3fa9c1e1d0d8a277112a97da690d29db5cacda4f4112e92f1150f6b84f5f6516a7fc5f462446170fe36c61a779e90cd6ccc7ee77d41d1bb32

Download Submit
C:\Users\Admin\Downloads\ccAG.exe
Filesize
222KB

MD5
51aa9572c490697c801d1f2d5d4b1b28

SHA1
4ba215ad6c622018d323837bec5e694d134e03a5

SHA256
00d51d8ca1f53019f1c65b0fd170d258116d32c59c7c4bcb14e4e340a8caeb40

SHA512
73236a90c4eb71ebf4d816923afe34bd877795a832655f43e00cba4de9fcb487813ca6ae943ecbb59011d60265d34bd94029a1cacd39031a8aeff52ac7c7b8be

Download Submit
C:\Users\Admin\Downloads\egoa.exe
Filesize
229KB

MD5
0770039a8437769de23fb07daf6ff934

SHA1
1dde9fece758a1167f392d374e68d0094e3d7e09

SHA256
df1dbb86d04e4005aa2def42032ea641cc5d70877737d8c043e2d06075b26a00

SHA512
28a8b43bf5a8cc93cae1b884df8880d9d7b793ad57fd88aa55bfbacbaed4717605223fa6e76dfc1bd2291c557b3eb8724ff5d58f973bf1e3fa752de453747d49

Download Submit
C:\Users\Admin\Downloads\gQMe.exe
Filesize
209KB

MD5
38854e5bfc592fba1fa91500c415241a

SHA1
ac56bad52fc4ca97565fa81b3e6aceeec48b0f2d

SHA256
50d6ece3bf8a86cfff1a3860328eedf2f1b89978cdc787b8d6badc84695ee93b

SHA512
2bd0fa9e431e79d56de7befdb33a99ad84f67cc01594212176649b8524be60273428037d8eebbdef02aa2d09583d47bdae18313ea422a33ba92ec57b808b226b

Download Submit
C:\Users\Admin\Downloads\yEgQ.exe
Filesize
1.2MB

MD5
f89f78ff9873df3c10a80a13cba915a0

SHA1
000a161bb10734b17f4a089f2581d1f8207903a7

SHA256
280dbd18c36505e075824e6d11b24dc322f784565e5d18f0bc0b3022e84ecf88

SHA512
35588c2fa23656ecc237319f31fd908adb10acd114797ae2a6480f822e7ffef8416bb411171ffd1d544f8962b6300b64e2d8beec121a0ad84321f9b95c43449c

Download Submit
C:\Users\Admin\Downloads\yEsa.exe
Filesize
238KB

MD5
f9930d5d841e7869c5cd58a9277a94dd

SHA1
a25ae8ded5545f9e4f18391a5d468c1d0c1de448

SHA256
0ebcab8cc9ecf73cad270355357e6060bdce87934e8fb251a4ddc7c3c5ece12e

SHA512
76a4e7e8fb547d94ce7fa6dcc84bd948f27b1574532a09b59cbffcb96063568440a4feb50a2d16c99f061d12479cd7f19f141f89a3260860d6dcb1e657cb8573

Download Submit
\??\pipe\LOCAL\crashpad_4076_NEOQGTKBMLGFMMUR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2432-592-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-611-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-4848-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3188-512-0x0000000000CE0000-0x0000000000D05000-memory.dmp

Filesize
148KB

Download
memory/4988-513-0x0000000000A90000-0x0000000000AB5000-memory.dmp

Filesize
148KB

Download
memory/4988-508-0x0000000000A90000-0x0000000000AB5000-memory.dmp

Filesize
148KB

Download
memory/5172-25805-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5172-25821-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5608-26050-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5608-26061-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6108-26178-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6108-26165-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6132-26186-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6132-26197-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/8352-26102-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/8352-26110-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/8444-25829-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/8444-25817-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/8836-25932-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/9640-26082-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/9640-26089-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/9776-25940-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/9776-25928-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/10264-26177-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/10264-26187-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/11024-26158-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/11024-26169-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/11140-26067-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/11140-26078-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/11520-25809-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/11520-25793-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/11620-25950-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/13376-26006-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/13792-25959-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/13792-25951-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/13932-26070-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14492-26120-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14492-26111-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14740-25803-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14904-25987-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14904-25996-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/15200-25988-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/15200-25979-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/15812-25804-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/15900-26116-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/15900-26129-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/16360-25968-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/16360-25960-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/16808-26125-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/16808-26139-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/18048-26325-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/18412-25978-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/18528-26051-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/19660-26015-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/19660-26007-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/20080-26033-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/20236-26034-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/20236-26042-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/21028-26148-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/21028-26140-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/21496-5654-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/21496-18044-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/21496-17282-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/21636-25837-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/22108-26224-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/22108-26213-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/22124-25847-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/22436-25855-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/22712-26234-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/22976-25881-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/23268-26242-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/23932-26250-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/24108-25882-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/24108-25895-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/24572-26023-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/24804-25914-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/25712-26252-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/25712-26261-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/26744-26278-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/28188-26288-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/28188-26281-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/28412-25897-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/28412-25904-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/28708-26334-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/28708-26327-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/28924-26306-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/28924-26290-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/29168-26344-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/29536-26317-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/29536-26307-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/29960-25923-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/29960-25912-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/31048-26192-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/31048-26207-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/31300-26346-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/31300-26354-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/31712-26353-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/31776-26269-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/32104-26098-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/32104-26090-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/33008-26206-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/33008-26216-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download