troldesh | hxxp://youtube[.]com

Resubmissions

28/01/2025, 02:21

250128-ctdg6avjdm 4

27/01/2025, 21:44

250127-1ly1wswnhx 10

Analysis

max time kernel
306s
max time network
320s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://youtube.com

Score

10^/10

troldesh wannacry defense_evasion discovery persistence ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 47 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UAC bypass 3 TTPs 47 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry

Downloads MZ/PE file 5 IoCs

flow	pid	Process
250	4568	IEXPLORE.EXE
143	1736	msedge.exe
143	1736	msedge.exe
143	1736	msedge.exe
143	1736	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DigksUsI.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1617.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD162D.tmp	WannaCry.exe

Executes dropped EXE 64 IoCs

pid	Process
3048	NoMoreRansom.exe
1532	NoMoreRansom.exe
2548	NoMoreRansom.exe
2004	WannaCry.exe
2216	NoMoreRansom.exe
3620	ViraLock.exe
3124	DigksUsI.exe
3368	lwswgMYQ.exe
3104	ViraLock.exe
4980	ViraLock.exe
3872	ViraLock.exe
3112	!WannaDecryptor!.exe
1996	ViraLock.exe
4980	ViraLock.exe
5204	ViraLock.exe
5692	ViraLock.exe
4040	ViraLock.exe
5484	ViraLock.exe
1480	ViraLock.exe
3876	ViraLock.exe
6092	ViraLock.exe
2228	!WannaDecryptor!.exe
5568	ViraLock.exe
712	ViraLock.exe
2068	ViraLock.exe
2688	ViraLock.exe
5772	ViraLock.exe
5672	ViraLock.exe
6096	ViraLock.exe
2560	ViraLock.exe
5584	ViraLock.exe
5980	!WannaDecryptor!.exe
5440	ViraLock.exe
4132	!WannaDecryptor!.exe
5684	ViraLock.exe
784	ViraLock.exe
4696	ViraLock.exe
5288	ViraLock.exe
5976	ViraLock.exe
4176	ViraLock.exe
5512	!WannaDecryptor!.exe
2892	ViraLock.exe
5528	ViraLock.exe
5124	ViraLock.exe
5868	ViraLock.exe
5240	ViraLock.exe
376	ViraLock.exe
2000	ViraLock.exe
5532	ViraLock.exe
5820	ViraLock.exe
5580	ViraLock.exe
4004	ViraLock.exe
6028	ViraLock.exe
3628	ViraLock.exe
5156	ViraLock.exe
2016	ViraLock.exe
6012	ViraLock.exe
6128	ViraLock.exe
2552	ViraLock.exe
4880	!WannaDecryptor!.exe
3628	!WannaDecryptor!.exe
3324	!WannaDecryptor!.exe
5944	!WannaDecryptor!.exe
5992	!WannaDecryptor!.exe

Loads dropped DLL 7 IoCs

pid	Process
944	setup-stub.exe
944	setup-stub.exe
944	setup-stub.exe
944	setup-stub.exe
944	setup-stub.exe
944	setup-stub.exe
944	setup-stub.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigksUsI.exe = "C:\\Users\\Admin\\GQQcAAII\\DigksUsI.exe"	DigksUsI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lwswgMYQ.exe = "C:\\ProgramData\\WuoAsEIc\\lwswgMYQ.exe"	lwswgMYQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigksUsI.exe = "C:\\Users\\Admin\\GQQcAAII\\DigksUsI.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lwswgMYQ.exe = "C:\\ProgramData\\WuoAsEIc\\lwswgMYQ.exe"	ViraLock.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
142	raw.githubusercontent.com
143	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3048-891-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3048-895-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3048-894-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-893-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-897-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3048-898-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3048-901-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2548-924-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-925-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2548-929-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-933-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-965-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-999-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-1050-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-1087-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-1099-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2216-1153-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2216-1977-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-2014-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-2877-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-3347-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-3505-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-3531-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1532-3572-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/files/0x0007000000023f10-4359.dat	upx
behavioral1/memory/5220-4377-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/5220-4453-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\nsm5B0C.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsx5AFB.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsx5AFC.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsx5AFB.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsm5B0C.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsm5B0D.tmp	setup-stub.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5932	944	WerFault.exe	803

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
4780	taskkill.exe
2320	taskkill.exe
2412	taskkill.exe
820	taskkill.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\PhishingFilter	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 5bafc709d418db01	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DOMStorage\microsoft.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\microsoft.com\Total = "40"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1833307880"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\login.live.com\ = "124"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\TypedURLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "https://login.live.com/"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = b9aaae5e0571db01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://login.aliexpress.com/"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7584f131aec644f8beefa44293d03b50000000002000000000010660000000100002000000068a7286c1dc334ed0e3a650f7684f4e7afd605dbe9f004f1955a1319b7da8676000000000e8000000002000020000000025c90d08749b60fba6eb10ddca1414b70b7277c902498a5123c34daa0ea78dc2000000032386006431af77331c7986e50f8968c98ed54c54901da5aa3837540c14725ca4000000023b4d6d848ea99a80f2565b1438d4c3f4dfde0f3984d0f15392d32ffcaefc2245bb8121b151e54320863f6c9d9fdc930806553d00085a1e22ca5b74743e15c72	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = b9aaae5e0571db01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701d9d6d0571db01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{5A5ED546-B56A-480E-B624-4027011F6728}"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "124"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DOMStorage\fpt2.microsoft.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31158533"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7584f131aec644f8beefa44293d03b500000000020000000000106600000001000020000000ae30c3c9bb4dbc3be73d748bd5e8278c022ac5410a8be2f9e48b770055d3ae60000000000e8000000002000020000000a129c2d2e05a8df54b22120339c030032fc33567dc89885ef61b62ab1ec04f0d2000000077d97cdec44448c0220e636c64d79388f129ef1d84d45ecd8b667a4e409b70ac400000002d3de4f49d50365d77ff7b740088fa32fe428201e1c5152381613eab8bbef1c192ef7162a97d37e493803bfb93e278e3e153bcf69c7e89db376527c349ac5fd4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://signin.ebay.com/ws/ebayisapi.dll"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90bc8d630571db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "40"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{98E558D0-DCF8-11EF-91C3-FA9F886F8D04} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://twitter.com/"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "https://login.live.com/"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://www.facebook.com/"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1845407855"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.live.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\login.live.com\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = d01346630571db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7584f131aec644f8beefa44293d03b500000000020000000000106600000001000020000000b1cafa99f06355ddd3b21cb4d15d36579eec9b67dca446fd9cb60f941f39bc9e000000000e8000000002000020000000e68c3a148391ebd6395cd65ae52f7b6346ff8d4fd8c91d85a02f6c1bd13808532000000029f601fbcf90a4f7e51be8111ef60cbbe3a374ab62a102ba60f9128f7ae83efe4000000080c78e33c3dc6a2e990e99b8829fbaa7984ec3910bc50efda2360fdd1638435d0d63a513b5197c58d468bf7c3b54f05e49aece5a107a3399abba3fe2f4c4c02a	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 802f6e6b0571db01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://youtube.com/"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31158533"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\RepId	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fpt2.microsoft.com\ = "40"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5072	reg.exe
5928	reg.exe
5940	reg.exe
2952	reg.exe
5608	reg.exe
5996	reg.exe
6008	reg.exe
5248	reg.exe
6036	reg.exe
5764	reg.exe
6136	reg.exe
6008	reg.exe
5816	reg.exe
4868	reg.exe
820	reg.exe
3180	reg.exe
4036	reg.exe
5880	reg.exe
5536	reg.exe
5268	reg.exe
5684	reg.exe
5772	reg.exe
5548	reg.exe
5548	reg.exe
4312	reg.exe
5908	reg.exe
2780	reg.exe
5980	reg.exe
5656	reg.exe
2656	reg.exe
6124	reg.exe
4132	reg.exe
2560	reg.exe
3112	reg.exe
1812	reg.exe
5840	reg.exe
2180	reg.exe
5500	reg.exe
5816	reg.exe
5368	reg.exe
5596	reg.exe
5756	reg.exe
2984	reg.exe
2312	reg.exe
5684	reg.exe
5588	reg.exe
2688	reg.exe
5280	reg.exe
5848	reg.exe
4992	reg.exe
4004	reg.exe
5952	reg.exe
4612	reg.exe
852	reg.exe
5364	reg.exe
5716	reg.exe
1276	reg.exe
5732	reg.exe
2320	reg.exe
5608	reg.exe
2500	reg.exe
6020	reg.exe
5516	reg.exe
5540	reg.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 500431.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 888428.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 235815.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 174732.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5152	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1736	msedge.exe
1736	msedge.exe
1164	msedge.exe
1164	msedge.exe
1556	identity_helper.exe
1556	identity_helper.exe
4224	msedge.exe
4224	msedge.exe
3048	NoMoreRansom.exe
3048	NoMoreRansom.exe
1532	NoMoreRansom.exe
1532	NoMoreRansom.exe
1532	NoMoreRansom.exe
1532	NoMoreRansom.exe
3048	NoMoreRansom.exe
3048	NoMoreRansom.exe
2548	NoMoreRansom.exe
2548	NoMoreRansom.exe
2548	NoMoreRansom.exe
2548	NoMoreRansom.exe
4424	msedge.exe
4424	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
1000	msedge.exe
1000	msedge.exe
4300	msedge.exe
4300	msedge.exe
3620	ViraLock.exe
3620	ViraLock.exe
3620	ViraLock.exe
3620	ViraLock.exe
2216	NoMoreRansom.exe
2216	NoMoreRansom.exe
2216	NoMoreRansom.exe
2216	NoMoreRansom.exe
3104	ViraLock.exe
3104	ViraLock.exe
3104	ViraLock.exe
3104	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
3872	ViraLock.exe
3872	ViraLock.exe
3872	ViraLock.exe
3872	ViraLock.exe
1996	ViraLock.exe
1996	ViraLock.exe
1996	ViraLock.exe
1996	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
5204	ViraLock.exe
5204	ViraLock.exe
5204	ViraLock.exe
5204	ViraLock.exe
5692	ViraLock.exe
5692	ViraLock.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5152	vlc.exe
3124	DigksUsI.exe
2228	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	3584	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3584	AUDIODG.EXE
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
5152	vlc.exe
5152	vlc.exe
5152	vlc.exe
5152	vlc.exe
5152	vlc.exe
5152	vlc.exe
5152	vlc.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
3112	!WannaDecryptor!.exe
3112	!WannaDecryptor!.exe
2228	!WannaDecryptor!.exe
2228	!WannaDecryptor!.exe
5980	!WannaDecryptor!.exe
4132	!WannaDecryptor!.exe
5512	!WannaDecryptor!.exe
4880	!WannaDecryptor!.exe
3628	!WannaDecryptor!.exe
3324	!WannaDecryptor!.exe
5944	!WannaDecryptor!.exe
5152	vlc.exe
5992	!WannaDecryptor!.exe
5264	!WannaDecryptor!.exe
1276	!WannaDecryptor!.exe
5760	!WannaDecryptor!.exe
5300	!WannaDecryptor!.exe
5332	!WannaDecryptor!.exe
5832	!WannaDecryptor!.exe
468	!WannaDecryptor!.exe
5364	!WannaDecryptor!.exe
3772	!WannaDecryptor!.exe
2316	!WannaDecryptor!.exe
5368	!WannaDecryptor!.exe
5760	!WannaDecryptor!.exe
1552	!WannaDecryptor!.exe
5460	!WannaDecryptor!.exe
4312	IEXPLORE.EXE
4312	IEXPLORE.EXE
4568	IEXPLORE.EXE
4568	IEXPLORE.EXE
1856	!WannaDecryptor!.exe
4312	IEXPLORE.EXE
3032	!WannaDecryptor!.exe
4312	IEXPLORE.EXE
960	!WannaDecryptor!.exe
4568	IEXPLORE.EXE
4568	IEXPLORE.EXE
5376	!WannaDecryptor!.exe
2452	!WannaDecryptor!.exe
2068	!WannaDecryptor!.exe
5676	!WannaDecryptor!.exe
3712	!WannaDecryptor!.exe
944	setup-stub.exe
944	setup-stub.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 2128	1164	msedge.exe	84
PID 1164 wrote to memory of 2128	1164	msedge.exe	84
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 4716	1164	msedge.exe	85
PID 1164 wrote to memory of 1736	1164	msedge.exe	86
PID 1164 wrote to memory of 1736	1164	msedge.exe	86
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87
PID 1164 wrote to memory of 3100	1164	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://youtube.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8974b46f8,0x7ff8974b4708,0x7ff8974b4718
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6880 /prefetch:8
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4224
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7160 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6744 /prefetch:8
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5568 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7156 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,204752033694132083,9539575816915383496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4868

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 138571738014459.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:428
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    PID:2608
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3112
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1996
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3088
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4132
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5512
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4880
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3628
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3324
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5944
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5992
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5264
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1276
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5760
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5300
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5332
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5832
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:468
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5364
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3772
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2316
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5368
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5760
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1552
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5460
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1856
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3032
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:960
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5376
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2452
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2068
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5676
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3712
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  PID:5188
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  PID:3824
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  PID:3256
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  PID:1368

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Users\Admin\Downloads\ViraLock.exe
"C:\Users\Admin\Downloads\ViraLock.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3620
- C:\Users\Admin\GQQcAAII\DigksUsI.exe
  "C:\Users\Admin\GQQcAAII\DigksUsI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3124
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe "C:\Users\Admin\My Documents\myfile"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5648
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
    3⤵
    PID:1084
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
      4⤵
      Modifies Internet Explorer Phishing Filter
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4312
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4312 CREDAT:17410 /prefetch:2
        5⤵
        Downloads MZ/PE file
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4568
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\Firefox Installer.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\Firefox Installer.exe"
        5⤵
        
        PID:5220
      - C:\Users\Admin\AppData\Local\Temp\7zS464E331C\setup-stub.exe
        
        .\setup-stub.exe
        6⤵
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 2188
        7⤵
        Program crash
        
        PID:5932
- C:\ProgramData\WuoAsEIc\lwswgMYQ.exe
  "C:\ProgramData\WuoAsEIc\lwswgMYQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
  2⤵
  PID:3292
- - C:\Users\Admin\Downloads\ViraLock.exe
    C:\Users\Admin\Downloads\ViraLock
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
      4⤵
      PID:1996
    - - C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        6⤵
        
        PID:468
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        8⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:3428
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        10⤵
        
        PID:2020
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        12⤵
        
        PID:376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:3528
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        14⤵
        
        PID:5548
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        16⤵
        
        PID:6076
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        17⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        19⤵
        Executes dropped EXE
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        20⤵
        
        PID:5404
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        21⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        22⤵
        
        PID:5456
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        23⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        24⤵
        
        PID:2020
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        25⤵
        Executes dropped EXE
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        26⤵
        
        PID:3736
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        27⤵
        Executes dropped EXE
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        28⤵
        
        PID:6140
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        29⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        30⤵
        
        PID:180
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        31⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        32⤵
        
        PID:5528
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        33⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        35⤵
        Executes dropped EXE
        
        PID:5772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        37⤵
        Executes dropped EXE
        
        PID:5672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        38⤵
        
        PID:5548
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        39⤵
        Executes dropped EXE
        
        PID:6096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        40⤵
        
        PID:2000
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        41⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        42⤵
        
        PID:5248
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        44⤵
        
        PID:448
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        45⤵
        Executes dropped EXE
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        46⤵
        
        PID:5244
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        47⤵
        Executes dropped EXE
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        49⤵
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        50⤵
        
        PID:2412
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        51⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        53⤵
        Executes dropped EXE
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        54⤵
        
        PID:4868
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        55⤵
        Executes dropped EXE
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        57⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        58⤵
        
        PID:800
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        60⤵
        
        PID:2704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:5732
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        61⤵
        Executes dropped EXE
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        62⤵
        
        PID:3232
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        63⤵
        Executes dropped EXE
        
        PID:5124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        64⤵
        
        PID:4880
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        65⤵
        Executes dropped EXE
        
        PID:5868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        66⤵
        
        PID:6072
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        67⤵
        Executes dropped EXE
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        69⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:800
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        71⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        73⤵
        Executes dropped EXE
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        74⤵
        
        PID:5124
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        75⤵
        Executes dropped EXE
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        76⤵
        
        PID:2548
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        77⤵
        Executes dropped EXE
        
        PID:5580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        78⤵
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:6068
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        79⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        81⤵
        Executes dropped EXE
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        82⤵
        
        PID:6060
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        83⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        85⤵
        Executes dropped EXE
        
        PID:5156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        86⤵
        
        PID:5876
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        87⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        88⤵
        
        PID:5044
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        89⤵
        Executes dropped EXE
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        90⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:5168
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        91⤵
        Executes dropped EXE
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        92⤵
        
        PID:5532
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        93⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        94⤵
        
        PID:1876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:5340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSAMccwA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        94⤵
        
        PID:5668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:5716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOcYkkAY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        92⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:5132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYgcAkwY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        90⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:4612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYYkcUUU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        88⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EksQckAQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        86⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:5268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xycQwoYA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        84⤵
        
        PID:5840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:5584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCsUMYQw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        82⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAAwowgM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiYYEowk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        78⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoIccQwE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        76⤵
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWwsIUcA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        74⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeUcYsQE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        72⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:2952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FagMkwkw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        70⤵
        
        PID:5848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:5884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqwgAsAI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        68⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQsEogQg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        66⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geogscMY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        64⤵
        
        PID:5268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:5716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMkEAwEs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        62⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:6008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCEEsQAU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        60⤵
        
        PID:5308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umoMUkgA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        58⤵
        
        PID:5632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:6136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsYYMAUE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        56⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiUQwMkI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        54⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:5880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAcYwgMU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        52⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKIIAsIo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        50⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACwgswsg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:5940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUcogEMI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        46⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:6036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:5260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwEYQQEc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:5472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqQwAIgs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        42⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:5996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAUwUYgo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCAgsAQg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQwgswsA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        36⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUkggMAE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:5840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmUEcsoA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        32⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkYcQoYs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        30⤵
        
        PID:5524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACwosQko.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        28⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkQEUYcw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        26⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:5608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akAgwoQs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        24⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGwcoQIc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        22⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:5772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoUMgAkM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        20⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:5368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICgIwgcg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        18⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWckwkgo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        16⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWEQkwIQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        14⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYUggUUk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        12⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGkIwccg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        10⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIwEIQso.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        8⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2228
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1276
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:852
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCsogMAg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        6⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2016
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3528
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmUIUIwo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
      4⤵
      PID:3428
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3152
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:820
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UggkEEgU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
  2⤵
  PID:3116
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2064

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CheckpointConnect.TS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 944 -ip 944
1⤵
PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
330KB

MD5
226c2e04a277770e10e87b7f6f3dcd20

SHA1
4b784c3e778b9dc0857ba7fc4194d9f74eeafc5c

SHA256
6d9ecc82dffab015a31208be9b29747793a5f7c225613ac62cdf97990e7fdfb1

SHA512
8db2b7a2786e4c74107ddb1504b10538c5a4ddb5161e573056590d108e81829aa044d35cc2e9580eff5281c9322031eba7b43dec7f8d214e655b7e03109e1ea2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
234KB

MD5
d98e85586985a758701ff874cf4a4228

SHA1
6ac4d60c3b71be338133ebdc3c00b038fca310b4

SHA256
d2a0e9bb5814ccc9cc5c5e82b4d617d6613abb42d1efc24aa911013b2c05f2a2

SHA512
f6eaa357c649e4f0f8f4112bd50fae02cb9b5e4ab94a3eeb8fd21d2de07fa391b5b73e71adf6f44daae6d5e7ac0b736126aed7a8ea1fe4baea811c3baf0307c2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
323KB

MD5
3223fa85540feb2eb66609f53bb5dbfc

SHA1
b9622febfd93a594d7e54b271d5d014e258cab12

SHA256
61d85b6c2d249a7e4390ca2d1b6454b6abb15a99934ac87b7e517ec2552a485f

SHA512
47feb30db1e42052553ad42b31e0fcd67e34b1fc8206ae03fe750288c30a799e4890b98278b0fdf58757bbf1b359ca3a5c76321ff61da61e51abcec49a434a9a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
227KB

MD5
9e4b8c74c85112473a315a7c23188694

SHA1
beb26cc06b4773eed8151c0d9270bf71830aa4a5

SHA256
aa14fdfac3b4cc392755a96bef8588bd844dcbc04ea67d288aea96193b64ba45

SHA512
342bb422d9e259234560d7452c9c7410eded00082399705de3422a42631d65832f79afdd7ea9307cb028fe41425961c5cb8cf25dc487c67285cf690b6d120b3e

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
823KB

MD5
e797e7297eb47b394d65fcf0d9ad3ed6

SHA1
5eaf10c58219ec9f2edc15b8c89b5e689c7f7eb0

SHA256
fd97e0df14cc04018090d392f93f7945c25a9e8c1eb81af186ed3ab7a4010524

SHA512
edb59c24c43d647cd668a13e9d5d2bccc6e835da87b030855e8edceaeb5e6ad0dec1b6f778144b518fb3fe88f637e746d7def5cbbfa1876d95af2e252778daba

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
644KB

MD5
4cc2dd9e92f65d60520b790c7ff88314

SHA1
c9d9e3690d7090028e26b8bb655a27779bf17f87

SHA256
45772bdf3855bad32e2fde6e18674b95812dfa238631de1544c1a46c55d72c19

SHA512
91af1386aae3b07ea4ce87df69c3344512678ff52fc63c36b22c3b11d18dab4f67ef554ed4fce244c554681ac69ad08367f36cfcfea6292af8bebadb157ae989

Download Submit
C:\ProgramData\WuoAsEIc\lwswgMYQ.exe

Filesize
186KB

MD5
029b7aa3ced4df382f333a775941c727

SHA1
d0041f8666b672b67f4dc306ea61919a3e6074cf

SHA256
458672aebe67e90f58ce31e9adfc226168ddb7d94df17d902965e352eba55c3e

SHA512
9ce7fb7cc6b852592940589ff48878346a87d3622081c4d2a196c6c8b03b87c338d6d9af2ea460b425dec11956cff0278aede55b7ec63460461332d2ac05e867

Download Submit
C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
0ff7485b8e4c0250ac692852d3b86c20

SHA1
4ce6a17e2aba959f69c796d619b7cfc8b6c9d943

SHA256
83672aa4251199e2c22952e5aa0d6a9c5028e191597622c6126081a8ed9810c4

SHA512
8d6c1fee849ee5645c969f5f649d74dc600831119ef32525c1c17db4455a412b0220d310f83007f886d5f11a5ed6f36d1ea05a0d0b164c9d97a091016424dbc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\224b644d-ebf3-4e8f-ba46-47fc7d2dfe58.tmp

Filesize
2KB

MD5
eef7945e259cb83d230355ae2162fc05

SHA1
b6cf001c69beba44e3d32b0dacde7e2777d21e4a

SHA256
f146a7a82ebcb3cb8557cbea8fb30658cdc80dbc26cc69566bffb9a825c6b6df

SHA512
d7f00dca0d019eb4adfe715d5dded6e82dba9ada8cd4bb99af4f302e62cdde2c0a1c0ee985fc8e7e4e774fab47c7221df022d492607a0ccfb2b9b3153ca7c595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4f0a12ea-79d4-4e49-8b9c-4afe7e2bba42.tmp

Filesize
2KB

MD5
0bff38b5cc7259b50ca47a03e0488448

SHA1
a8e9f7534182bc930c694f1fa246746988b00b01

SHA256
cbffaf69f4ec162fd0e3a2f42199eff348ed6d3d348b306decc697ae882fbb2a

SHA512
73cb970edc283eefa101b58be6c6ae90afa1ac832ddb3b99318a3729632d748907c93c336b2f12ba35c16dc1ae48b27844ce39d73c5b5b45ea1f4d3c8c2a092a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
20KB

MD5
edff034579e7216cec4f17c4a25dc896

SHA1
ceb81b5abec4f8c57082a3ae7662a73edf40259f

SHA256
5da4c64f6c1ff595779a560e215cd2511e21823b4e35d88f3ba90270d9244882

SHA512
ab2dcd1628a0d0cadf82eebd123526979e8cf0a2a62f08f1169d4c03b567eca705bd05a36e5ffa4f6c3df393753b03e3daa18122955dde08fd8e5b248694e810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b87b1f26d4b79137b897567803d8b64a

SHA1
5564cbb7e247d93306913f0c2808abd4f2d4427f

SHA256
816d590c8f88bfec3126f30bdcd1bffebeaef9aae1d1de8ef7fb42ea0f7e66ee

SHA512
9550cc2907f28c9fc0d27d096e6f24c21af3a1f9c93eb02aa98f8b773ef4f81721b38fa31536ea25b463d0f27a8893f71aada27bda6b876456cf2200b73cd039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
8246d8e596818638cbb0fd3210753f11

SHA1
e1ed700faab29b55de3b89e95ce0f83b61386c8a

SHA256
7af67446ebffd722a0726ebb33b802f0760786e2b3cf0fadf3767dd7de9c4948

SHA512
0364764661db49f0bac595ddb067919ad12ecc77ebba2ea81b01e561a059587c0fc89951c61cf98132853bb26e247f5c880d6709bcf86b761a8a01c65dde1e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
ea1864877412e64cb0df8a150e1e56a2

SHA1
6e21dc20707ffca03f42f08556843212e53c94bf

SHA256
ec2716ceebbdd014b10c0e9fcbeb1237b4383f849b52ba932f2262d2cb83f1d7

SHA512
d4d82bd626057f45ddb78304b2417ada44c93f33abe307fe8a813511f16fe7beee5cf60717d23a620aa90371388b495cf9d60a6e11401733e6f3ca4fd6ecbdf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3edb7279565ee020e89eb0efca60cafc

SHA1
7fd8a4e386e195ecce77e978bddfc942d69da2c3

SHA256
2dcbcf12a732bb0575c41f315524832b21cb61539d42c86f2de422dba544a693

SHA512
020b3f8252ce980bc68439fbedad89c1e04f4e1c1edcbb7abd59f29430d9a2b42b2eaabb2cee93a3e42a8c44e46faa11e7778a0cbf71e1d523e215d33805de98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a11deebc90b533b5a6bbbd0230a82376

SHA1
ba607957d5782d05a83cbfb4b841ff55bc2aa6c9

SHA256
78eccf5b8bb764c7eff21ba973ec62f3a2eceaab3ffab5fca2a806b2804e483d

SHA512
072e59d8c7bc290c3571dcfec1ab29ac8eb69a20050f41015e6c80e3d714876d2cf613e50932227ba4a5cf04f95d549f2d928ee736ac94cf5504087eb6780da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2f0d304eaf98d6338b1457e8d1cc8da7

SHA1
d432e5f1cfb176ba8200e1f7bb4430f88e386fba

SHA256
ff0b081919bee91ec4d12f2aaaa48e87418145b733c7219219d5f62b9b365292

SHA512
c8cefbd047d6a8ffb3fac2a3ed619824f14e76f62ea871e1889ab7527ad3e72c90b6842a290a80045cbe196a982ee3d8b504b9015d32f1c98f422ba1b9cd57b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f32ac1604aa4e8c4aba5a332ebc49a52

SHA1
24b01d4a2b130b2a63dc91ebd2e3c5a00b841c4e

SHA256
da7fe2c9f061ea1d5d3e1d65da4870f2573bf3ee1fb158df4a745f8edccbda64

SHA512
4c98fd1616a6c59d5a014aa7a4fcfd10c337852810c94ddd265852bcef1b785c54705f6f9047fab89b9369d300b9ce840a6c69e9d9f930619408c0ecaea5e198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b3a658e8f9edc86263196addfcac6ac4

SHA1
4ebb18d1818e2743400554e40e4c6eca5883f113

SHA256
bce1d2859d8efe4c84e85c2acfe0e0f66a3b05c5c69a843a751d087acf30bb31

SHA512
0815eecf1da508528671c24455da2a13ea2d43f74c3c8973bb8ba57aad1bc479d467a0fce62aa07ebbf7e40ba8a4c0a93303a22fec000736ccc40ce7d3821880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
457d604f0138d4680168f2b733e4e29a

SHA1
09c92de19f3144b6d36d02d8a34e55e50ad9228e

SHA256
51645e96a6a7951fc4836cce81c2c8cea2faabf41744b95069e864d5ebf13eee

SHA512
d617e5d4ea6e8c6ae1b1a6aa1ff081c2a4f11eadca539f0a556c1e9546379e98585c3160e509a9422dd132b0d2f8d3647fc354b6184d0264b0e6b2dd5d00a587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
57c133c5670070820d1c5e40868c375b

SHA1
fcc094b5c778647b5bcc19d03777813302f7bfb3

SHA256
5cbfb3a0035cb25cfbed749fbc7e564492b74dbc5cf3e02a46d26b56c3444879

SHA512
495fdaa504e83bd83eacdd83e341bd4ea135b651b3c675d2851f651dad63b7467d196444ece2060120c1baef6354bb7457fd71772916b11107bc2b5302776b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
84847a73784116bbb045037922a33bc3

SHA1
62ef7e8a9407cbd19d9bd9b4f3c5fe288f0e0d30

SHA256
60c4b50e47ae4560d85dafecf42f8308d679bd9fae375d9db8faa38f158f70b8

SHA512
4e128e6d996213339a672aefffff2406d8e1106a9b06525ccd60e6f42e9066608e59e0c2b9c50393605cdf241c2d6b2b55aab78a52bade3b3f1c185017d955b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
4e1ff43e5e89e97f409e9d958298efd1

SHA1
9551e1f432a6bb548863a9b702a397a9026b12d3

SHA256
c34b848360ff76146764535c21132203f5b17c229efb2ad44a8dd83f3afc8c11

SHA512
75de1baf876c0204167586529c93dd0071976ad33169908597b54f558978ffbf11a0ddb44042d932e542484a524c32b8aa6fb870db6be059054f0483c646a3fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
a6227696e780f1339d4611763ae7f9b3

SHA1
d701097facf63cd8d7dddad61f9833130acca666

SHA256
5e447b06d3240fd694a73c7ec6916123e7826c4a200b47e7bf69a1649b317c9d

SHA512
b53d9d235408e506968f5681216dc90ea4e0c6aa8bb7ba0555cbff8c72eef7229b24b8fe3ca306c91bfc63f35e7e0ab25a568b880cc681f8d31858746053f597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
1f98d95f1673c8e0e391fb8d16cf42dc

SHA1
3814632032c3c7b4d23aa92a76d34b63d1151521

SHA256
5e021e4962b2c6c92b3776dc55ef532494d3782486cda24731e48b9e497e34f4

SHA512
a293227b4cd918a3248b1432626fce8f74fbfb08ea2f3aaaebc9ba94a17d9db73f829db9a1693b6eb024632aa0a301fbf264c5cf68ff097383bad9423840960d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581bd0.TMP

Filesize
48B

MD5
5f01fb9d41f4075feb33163a0d654f60

SHA1
5cf654cb518b034af8c72954637be93112592079

SHA256
249c8a9c80dbf64c9fb9465d28d4e51df8b70e5b5e495103ba3c538449eaa173

SHA512
5949dffd64eaadb6a193bdc21148fe9d26ddf372f8b17f20d6b7fae94658eeda9524cd0bca772b7e4efcabad47334dcd79cd52547164b8d3d8e0a58901592f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
13d0faa455a2e3bce4baf0862e8ee764

SHA1
64529c5397104ed055dc24dc58ef5880556fa91e

SHA256
bb994da7daddf2059a2fc892751741fe163f8a7752af281572d2f40f0a47c7fd

SHA512
d19ebb5419aefb5d0b5c257f846f224c9a9b428442b74124454c86f36f0698ab7c452dcd05867d796c4e5acc5b860b7966c6d3c3d1e35d39bf90d3a302e62f82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8858081b248b3eb342056a9104a33971

SHA1
4b297b59a021f50036a46152effc0da630f50751

SHA256
70ad5922f7ae4b305e9410447b0e2217cb76e69d645755d32a00388841a5efb0

SHA512
4453b1c2d363d7fccb037ff6cd69654d234023bf3dfb0493d0486ed420dac8bea267385ae37c41e0bc7823dafc54b20b2e62463c5681af42134ab04afafdf7b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
06f5d05b0dab9bd6a49825564e3b1513

SHA1
abe3a7489d8785b669914057d4c8bba0fc7a7cd5

SHA256
882bb12d0a89ef9dd11dd01c74094ab2b96654f0b1ff1486585acd30080e8d00

SHA512
f7498bbc3c7f62b0e4d4643fa82da9806bf887a91cea7ea84e2e3fabf608dc2663c4fdfd67cf0c3bfea296ad1b362763800659d627928939c966be8a6af1a3ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2ca74e278fbf0a8b9251d98378ff3dd9

SHA1
dd1f650f648a18331aa1406a28d8c07071c4e639

SHA256
18ee4719d439b5b60e203ae3bc23c2c479897c5cb0599f49c701137a724480a2

SHA512
4fcf26edce1cc5978b71d4f7fb8e67657c68867ed333cc6ebf0eab894fa43edd32985316b8bba7bc35b7201b7772564db1c8a2751a3d46f3b9dea32ff980494e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
48392a2ed6252f0e3a172bb3c7ceb8b9

SHA1
32fdcc0e337889d365c0402423425d355a3e04a4

SHA256
9115c43b1218b1b21f5a8e6d9317919c6147049052d322ff65a4c9d654b5f70d

SHA512
61ca7216e5ba7b334a75ddf945ed7fed5b547a901c5ff5af14b83dfc883b41d47309af0c4d66c5c62563c189baf067cafcc40338d45d9ba5052fcafa9ef243a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2b1a507fe45cb6230aa146b5b7f0ad5d

SHA1
3feb08b87b4124e5713a4eff632644cc1a3b2a9a

SHA256
0eecc11e1ff5369e526bb5ca9770d86620b69db4640be3ca10aa4b8913d63582

SHA512
32170283e7ec3c0ba60d4afc4e2f735039b6709c849b66d212898938e45d1bab08aac9aeee27cd9e585ec7416bef58213b3305d085aa6d05d71b358d132d429d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580f0e.TMP

Filesize
867B

MD5
7b560487d4f3f2c55169fb86d436e39f

SHA1
466931b58962e61ebae9425bf6ad886122a56f51

SHA256
eddf7c3ff7f8e98f9899b960547ae91097ea0114558c0d6046de6514f5290489

SHA512
e115e267244dab180a185874923cd7b0bea925d8e6ad48874704a74ad9755b37b8aa403c946e54b7616cb3dc32c0b75b83bba5ac78a94236493a4bd49d177aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c02f65282d09841f1b12cdf5e70f0ebf

SHA1
36175f9546916c5191a25a68b5c7ee9acc1d8bcd

SHA256
91c7d7dee556e70d20025e0a16988d85b81e878aa68db1ccca568455d1e71947

SHA512
5dc17fc08bc517158eac0d94dc9759cad42211a46ca372979b0dfac35766ae181a1537a44d1c1b4ff2b787704fab8c17b11d70be0339d64bca9ecab2c20234b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c3a45ccb7630aa2d3badd4a89c56222e

SHA1
e6f24ac82895ae61ed00b88bb8d9acbd36937b9a

SHA256
a43117c76843e37168d1fc0af449b8fbb44a074d3a340ed7ce5eca7705ccbe96

SHA512
533686119c657d8f5c84ec96495051c45aae8fd11675b2145202fb956573708f4bd383a9d4a3a4b4a650f5eb0206cbdf3e6731af21cae0a653ea2dbdf3d43d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3bf696a77c40c578ed66df5a5ed8ba53

SHA1
44dc8aa7a7836f544dd00795e2f7a61a6599267d

SHA256
087336bb2061d2a8eec345f667ae03427e2092f0ea6a1c827b3e1933a444f38c

SHA512
e4a1a1bfca44359fc33c95caba9ebd963e64e68d59142de32f9452091a9ffff385c0dc00c283b26650d1d422d41cb0d2ac13c1a01e3c9b232dd4fa1a494bf81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2f3ea34be9d7ee0ba35ebc17fc452ae0

SHA1
533a699e2ba5a1b0fad04499cf28e963d70d3c70

SHA256
2241726ed66e989f2bd4ed407c9a6c4a0aca724efae7d64b71e3a2e1dcd13bbf

SHA512
2ccaa3f61e01a7f565d6210a3272b57610edd66b4e17b2e849c2ecf810e8bf57e4e8f5961f040f631596d299662cee747701b3b76ba062bae135777c0811203a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3477a43de6665a70fa5c6c84a350f678

SHA1
4c892f4b12b0c65d9a275dbbcedd9fca996f8cdd

SHA256
6526dd38840fbeff139913d9f486e81c817068a9895e2ce0ce4aea97fbf8a2a1

SHA512
1963679da23d6ad64a73f5d9a42da1fce4e173ce107df1c1e33767e0480e40511a4ab44b88ef7e7f697ecb8ee40603fbce09055e5e13420f9b2d998623dcabaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\VA38O1NI\login.live[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\l5q765j\imagestore.dat

Filesize
17KB

MD5
2027fde1c71a74400d44d627f97f4ca3

SHA1
403bc287c8ea4c7fa90c4f7afd7a0c4c697d443b

SHA256
5b7d6ce1c03ac2222391d8991d48730bd7a773c5bc9676cb3b4170004742ec60

SHA512
c7d3d34742cdfca12bd4631c1e3e4c0932d15a0fe23dcf8411fa71a0e58735f1f51f7087fb2a55f5138919277b8480a833f37536b6012889493898b254c87ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\MozillaText-Bold.361e8456fc5e[1].woff

Filesize
31KB

MD5
361e8456fc5eb01eaaa618f5fe0057e3

SHA1
5b95f2273dd1749dab8e8eff55de32615b5f2df0

SHA256
456118000fb82343bd6e0c20163e81f84dfb44410395fab4f1fb8c5167186fc5

SHA512
3d699949f2955c2755757f4bade061adb3a2dd3712b9af91ffccf673463fa271b3fa07ae10b68afce05e4053dbab7160af9cb5211af0ae0bb695b9cbb8994040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\MozillaText-BoldItalic.984d399de14d[1].woff

Filesize
33KB

MD5
984d399de14d440fcf53549cb4fac06d

SHA1
6bceee076c8c5772d42de36c053e7e0aa8752f4f

SHA256
e74a211f98cb5e71dd006a4d4d70533833b46785b8f549978870b13cefcd2abc

SHA512
c819f1c790a5543c3a9a84fa8057757772636ed74050b51c8674a613c0b7485e4fb45eae5fbacc9d499c529b0d5f4dc264d2e9d8a4cd3584abac7e3bbcce9351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\MozillaText-Italic.73f2f4470b85[1].woff

Filesize
33KB

MD5
73f2f4470b85588a39fcab23e2495354

SHA1
9b09b63869177bc93f2716fcfb5838621f9f6f6f

SHA256
8f2408227ba82e2e276266678921b5e4db1106cabacd1b6c8dcfe572dfa3c6b2

SHA512
db012a8afbffe3ff6d44b27ce28758d690603fa3d2cc4d1e07a8fe610267818b65e3e111ffd812b2a05e998122cce46de31ec9b629538be7449d3cf787905832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\MozillaText-Regular.3869f665ef26[1].woff

Filesize
31KB

MD5
3869f665ef26a94f7e9af829b47ae02b

SHA1
945a2dd03cd4d1bfad9205ed753d2c583f46b788

SHA256
43d608a4b72709e8aea32e643af42f0679b83a4be84298d7faa710053cc6d6be

SHA512
496e4cf2f5f69444bc146e07d8c5b1e9120574d2dc3e81fa592bf7ed6b0875f0d9d032298aa716bf025074671965eae3dc449c4f790ea946120c33c1846ecc03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\MozillaText-SemiBold.c30f0c18b859[1].woff

Filesize
31KB

MD5
c30f0c18b8595c5e8230b53cb814069c

SHA1
5a3e5792d619fdfc1fd9ed8c7a96919e03719c47

SHA256
81a95f0c5d31cd42f5931083a7078c601ff92e0b59df0cbcba4a581433339ca2

SHA512
2c99f8df4726697ecfd0704628860e9e7a3f2b76c6ca59fc03d2ab02deaa6587aca000db8922f593ff8bd340d23b9354dd74d8f5e65924eeaa39e271158021f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\MozillaText-SemiBoldItalic.1b457fe5e036[1].woff

Filesize
33KB

MD5
1b457fe5e0369f13e72c8a809f8f1c67

SHA1
6a088a613f3d775d79f7df6809e9101050191bc2

SHA256
4eb93e5f13b437bacb1ad01cfc2d1f99e22964a71d89ffcb0023eddd54040510

SHA512
6ac32559e56257491ae561e16dfd4c5308209c372306a5732ce9c79c868aefbcd64d0d13917f9cbc4831cb1796eb5061b58ce70315c14f7237dca42aa08b677f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\_BpGtsjx-Ufp8pJUKaYUgkW-Siw.gz[1].css

Filesize
43KB

MD5
659a167a9d992c9822785511880deeff

SHA1
9bc6dc99c401606832ea791dafe818f68cab2a04

SHA256
bb040e7319eb6d62ab9d1acb38769b1d68f42e0f62c8f2c2e877fd6d0d5ba275

SHA512
e87bd404dbf3a4e31d82db7f143050d9edf70fe5dfd11547d476b0a3885d90166de40a13909a3b51e59daa755fa1500c03eda9deff5e86362b62a79cf980b441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\consent-banner.f74bb4c07d16[1].js

Filesize
5KB

MD5
f74bb4c07d16eb6f0550a1c79647c1d0

SHA1
0299319ed53f3423298031603371dd002bca85ab

SHA256
9ce95e74f5dd6de7c916a710ece5d45512cef85eeeadac5b147eb87d797e3cfa

SHA512
354eb4a134de0361c95f0736cb8950c2f7b0c1eaf433fd8cdb35b212009635a933e43e7601a1a113b95789a9a0b2124819303ede1d70f14adeb327a1015f0a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\favicon-196x196.59e3822720be[1].png

Filesize
7KB

MD5
59e3822720bedcc45ca5e6e6d3220ea9

SHA1
8daf0eb5833154557561c419b5e44bbc6dcc70ee

SHA256
1d58e7af9c848ae3ae30c795a16732d6ebc72d216a8e63078cf4efde4beb3805

SHA512
5bacb3be51244e724295e58314392a8111e9cab064c59f477b37b50d9b2a2ea5f4277700d493e031e60311ef0157bbd1eb2008d88ea22d880e5612cfd085da6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\protocol-mozilla-2024.8d50a4be4f29[1].css

Filesize
63KB

MD5
8d50a4be4f2988533158459c9eb97fb0

SHA1
5afeb54efefeb0b5a291626af96b1393837ff555

SHA256
0cfc6529260712fa6f950b1fd3859ad3d8434f276fc39fabece20cea9dcc4f0c

SHA512
2538416eeb07b2e2568f725d5d5bd917349ac2902dde95471b4db871d66a4a3d87d35be5f8de605a27ad64c0e33902c80414b3f37ffbffaf70327631568d4d87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\qsml[1].xml

Filesize
505B

MD5
3ef51057db9fb1c6ae276a0cf6d029f3

SHA1
de2abbd08b5fb56701bac8fe67dc3bea312a6fdf

SHA256
862b6aa447a0ca7f173c1240a1bbb5187133f1f2dafa4a66556c2509d9c82bb1

SHA512
a4387b89748d5f83f180545c29a708de3fc2341c892b3d6513b52019853e6fc0155faae62dde70d8285da805671401631ad12d5c1a03c7928ddd596ebb2e8ecc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\qsml[2].xml

Filesize
557B

MD5
99285c41c996fa6d26e4fd7abbd2fb8a

SHA1
e2cec17361483184c3989bf665ee3701f46ecb8a

SHA256
d346a641e7594d5c0e2e403af1be613cd4d50caa927ed0fe3e8dd51ce24127b9

SHA512
54513b0593d72e11a469c980844c89075c1c844f79a1ce23fcef271d26a50bd6688849b5a63d15a375c3458e450985a95c740dcb5baa86e10f92ce25199520d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\qsml[3].xml

Filesize
472B

MD5
f3e6b42d634ee6327a604afe5fa24463

SHA1
eafb61c3024a2895a52aa29afdac21329382e045

SHA256
47514fb34657478e82eeb2f4dd11d707fff7b25a88d2f36d53a896f6cb2e04a9

SHA512
8473a0cd525a63294f97dd1071787be16fab3e9e1ac7977c4bcf35e4a3fdb5e58b2da206a0dcc0d72ff9828b27216e0d5c16069f579b3718b5470346755065a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\qsml[4].xml

Filesize
491B

MD5
17e3f5afdd04b12ff37f2ba2cdab30e8

SHA1
ae56697397342158694ccc463a4544c5a29d2189

SHA256
4e595c641eefc108c82cd4621e0f4794ab6441c3f34239870616388bcb13c5e2

SHA512
d50645d469e58f629e438dd433f62c26b1988fbac8a462357dbaf9cf7582f11d21b3761f947c77cfb8ce9f097ec21e1459dc231a2aefaa1f31ec7648cd0580e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\qsml[5].xml

Filesize
516B

MD5
0e0af6c452b8e977b8d66a06272db3e0

SHA1
ef9fd27c8076ea1aabac008bae002dbd289669b8

SHA256
42881acf4be1804831cc5f0a8528e18c4e39f3014526ed3ab42d2fefa04fe0d5

SHA512
e464768306f35ce686c791cdcf99e9626a056c4e6e67003e8ee96fee56466a1a18b7a17faae292cbefd64fc35a3e76245b9176848a9d28047312e8452b9c0ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\site.b49d941e3374[1].js

Filesize
5KB

MD5
b49d941e3374b85ae1aeff4650f45ddd

SHA1
29d2423488f7d15909d70c664669adedbf94bf03

SHA256
1fa750605ecff613923c69d7c6b8913d0f1158fd5bcda7368564517794d148fa

SHA512
16b3cf01d125cfd7f651d5b26c65040e9f7fa557ed6679c4689c72eb658461a8cc7f77d54176c1752db90ae6d769ae5fa4a82fde5d1139c313b8ff44beeb3ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\data.438fd3539700[1].js

Filesize
5KB

MD5
438fd3539700c54c0513d446b8124dbb

SHA1
0a0514e08422d01a9ff79a113302daa418beda3f

SHA256
b3872a96a48a272e4782265a23db412ebfe61a43854934ab1d4239c5b5633ba8

SHA512
3100032a3d20a7254d9ec002ec6184ffd4cf7b36da3d2acd74036c3d60871ddd7928f03f97730f2370ec6e03b2358d62dc5ed4ed16974fcecde9d73640a5d28d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\fxa.6cacc544775b[1].js

Filesize
7KB

MD5
6cacc544775b1336cda354ef7e018aeb

SHA1
1b162e10fba618ded94a778e65d4bb138abe29f3

SHA256
8b2bf1e53fc0d7635d1e22b3531a8b431021af0ab9ed6e647716eb8e2ec73ad7

SHA512
9b1dbd117d754fd5ea59f9ff38ee35a1fa01395df28888e8b0c8d66f7fcc76f9550f7ddcaf33a1b8e9b6dd3129291fc87d07cd140102a6091d90971d77e23b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\glean.ff7106b49b39[1].js

Filesize
59KB

MD5
ff7106b49b396ba7025f9d469b0d7851

SHA1
dbe33f37b65e98c24dcd752bd0ca39e13a0242c3

SHA256
ed610a1a1756f1c33eff78f0a2516af71abce318e507a80eb401d85ffe6328ee

SHA512
047ee1294fc5d1fa8a5eb27ed87dcc4b19b13297e58d3a89c4e8d3236587fb454426e4ab0ed2a300d3ab402a09d056d4bb5bb6e8c4cd7dd341cd33c550dc30b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\lib.7cb1e204ce21[1].js

Filesize
16KB

MD5
7cb1e204ce21a8fbeb1147a0a748c48a

SHA1
7a57541a4add151aa4ffcaa4c400c825dd2c3e63

SHA256
a836f4adc858a4a35a9a888da819d6a20734f9480b7dd729744c69199d83cbf9

SHA512
35e7be35128569922538512e55faaf2d7c7356492a15a998ddf56f1dfe6f0c029d3813954fe55c5a30edd12580f0c1a8ffd173475fcfc8c80bbe850b90e95882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\m24-ui.daf79f0fefd7[1].js

Filesize
14KB

MD5
daf79f0fefd7be0f0f68aed173907bf5

SHA1
cf08e9032f3d6f91463c82cf07426636a12c48b0

SHA256
d2748746c034af1c892489124d6f11b82d2618c5bc0503f8746c2b52bf0a17fd

SHA512
02373d854d6c3a8750cf6d2452a4c1e573605e939e0430153bb97468e5ba18379bea0bc137c893bc22d21d1753c012731006a803fe4bf35a7ce9a4edd6a818b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\qsml[1].xml

Filesize
504B

MD5
bf042c2a6eb748fb6ddd464a68b5bd76

SHA1
4b7ba54c82a1f3929bf20b4f5dc34d82e5110ca8

SHA256
7337b0e9c2816240641a59062241f8c26321b2c79bc0769bd06f805a2200f335

SHA512
ece9a260b837b2465087e00e42c8eb70880819bcab9a57c50279d39a9be885bc54cc39df58620db7fd4f4957aa274c3b38b144e8bee41a18429f587ef978e840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\qsml[2].xml

Filesize
542B

MD5
87502936a39ec39e207c0418057671b5

SHA1
7dd03588bec35eff3fff1a6d0918951d4db0ef05

SHA256
629822effe39eb9c41cf60238285caab3a940a9d6b9fad40f37bbeae2d221257

SHA512
77f19d05ae4c8d3fa1e14a45b2618effd6213acc71150b9b0d5c6d326056aa2dc07d5b3ed447e15db624d7c54832eecdba03e72fa223aa209a606bc55162d30d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\sentry.ca22623b11b1[1].js

Filesize
54KB

MD5
ca22623b11b10587e367017837790711

SHA1
0f4a7d31f6ecbde0648fb76fea5ca48c5b136fa2

SHA256
0bbbd1be5863f4f2835bc33a0cfe078f724806f427351e29f7795e90d85db489

SHA512
6af73d2d0ef7a616c97984b640dd515517f98059c98ec264ad0c2555e013cbbdc816442efd0e1df4dd2c288a34944c849a1c2964bd8877a810277eb0fed1c1fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\stub-attribution.315d9501888d[1].js

Filesize
6KB

MD5
315d9501888dd2dafd4615878f335b08

SHA1
2fd329cc46fb7a0d2d2a9d5eaf8df5fb9641bbae

SHA256
92f772313517d09a6f024dda04db30415c95a8eb9bdaf5ef0f0fc21b196dbf2a

SHA512
29f0e8b9e262234e647e69bb2026967bb8d34ccad5d5800821bb3deb13314e9260401d65295b77a2b1d485b3aaa10c86c10b22420d5afb6e64da925a78e20947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\favicon-32x32[1].png

Filesize
1KB

MD5
5b1082ca363431d20bbbebbd281429d8

SHA1
adda75630e19d6519d66e43f67643b5fbee3c1da

SHA256
cd7a029641a870d8a5db1912d947e4032a8819660107648203d8f3280d05b38f

SHA512
65f8e6de75d19760788d6a733e1a765e2dfd76e7cfeecebb1e537b7ec0dee0e9a0025e9e798a1043dd0fd23e1c888fe996bde685bab901a100f536265d10816f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\gtm-snippet.b5b7c885f8fa[1].js

Filesize
1KB

MD5
b5b7c885f8fafa8b858e310952079003

SHA1
0d970959609dbb302f93e728b8f18b2e756f464e

SHA256
fe4a889274c8e8a152308fc53b758e4a36d4f09071f52207fda2c09c964db084

SHA512
84221e12e9daf0713a6ae4b9b499072645cbd6c7936fa607234fe8a8773ae8f9990b89085a83cee9b043c1f2d60064d70f6553510c4681926898dc95882736a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\m24-navigation-and-footer.e8f9c32ba5aa[1].css

Filesize
36KB

MD5
e8f9c32ba5aa777732eb28d0ed89dc65

SHA1
398096a1f547f8dff68e6b5d68d6418ca2121485

SHA256
7194f63d579d036d5e2fa5771cb708fef1c8a416821861c80121dbf0d516df24

SHA512
01594645dd65ff8c55557a1a59c48ebe6825cbbbf76a2cfba9bf6b115485019dde739f7325f792f6af855ffc2f26449bbd36e6cdbc8e38f082c0105ca3c427e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\qsml[1].xml

Filesize
493B

MD5
07037c83c847d5bca94e39ff2edec822

SHA1
1fd4960836c87e7bd8036d325beba39a7d44daff

SHA256
f77bc0d6df86db6ea88266b6fb5f3e84230baccba2981b7308861800a05515f5

SHA512
e06dd1d58509f7410a58d52ad4c474cfbe5c26131e464a780700d9b6f0513ffe6a78bc653e972db9d94e61fdd2bd650adece7a735a297e9b04e3034cb6aeac53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\qsml[2].xml

Filesize
506B

MD5
bf243a3134cc85a9ecb2925d3abb9374

SHA1
f68ad0dd4d9a5a8f3fe728ed9e38cb1e369ab225

SHA256
435c0d3efd6da87797e4aa65aa091c06b57ef3235d08bc9152b269dd87cf436d

SHA512
295b7f36279a070c50726820983daa55d10e75e9e567757e477eab6acd7dfce29c66c4fba1b76a1e81f2a64ff92830a8c3c75b1c2ce42cafb3c153f3cb166def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\qsml[3].xml

Filesize
566B

MD5
b1921f8f2664eff0380da6efacf93701

SHA1
2a778e60f0ec6f2f9b93c6a9d3fa2b76771f539c

SHA256
7b4ea6a34ffba51a37b9564104b2129e77922d7730b4808a5fe87bbf99e4cf38

SHA512
b53dceeffc77c8fd13b8fb7c9534e8db2a8fbdc041af943565d68efe91be7204402442e50a36d57f400ed6ebe018881ad60b0a53c64f086dd07347c79b2aac81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\qsml[3].xml

Filesize
504B

MD5
ace59c6975cc10e3f2fe6c8fe3fd8704

SHA1
514445e652ecc31fb86ca2583cde95b849da91a6

SHA256
c741131dc73a60b43a3af42d13811c187f77e95137f47a7fc4ed6d69c6403441

SHA512
29ebcd462541caea65bb4d3f49c3a21b9d854b94f4ec3d3d19a157ce93af5cae71fb0d28625ea1c95628d6a6ce5842a5368029ab494959d161cc2ccf4ff7edb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\Firefox%20Installer[1].exe

Filesize
364KB

MD5
f7d94ef08354f759bbf7c9406670a8dc

SHA1
1470e4ffb6f701de7106feb6cdac3d38a1ef3bff

SHA256
314cd6e8664a4e686e72be3e8ab5f924937a4ccce561bfc1121b61bf09421f97

SHA512
4ea23efc2738aea7c3330078c3a98823a8765f41b62fa62460e315f204a54c836d176113340fba83fd57d69e5fa4938e35394180ff56482ebef78744b78fab59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\favicon[1].ico

Filesize
16KB

MD5
12e3dac858061d088023b2bd48e2fa96

SHA1
e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

SHA256
90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

SHA512
c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\favicon[2].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\protocol-emphasis-box.4ddd0fb346b4[1].css

Filesize
468B

MD5
4ddd0fb346b4bbdb635520c57664a3c2

SHA1
730773e918e8ff8ce572c0bc4ea009ec0d76cf8e

SHA256
09299185f02ce092eb3b7026b6b5de60e1618e5a70916562f5e8920a0869431c

SHA512
49d620d80de64413474a175b35733fd133f68bb86e64641b30dd036fb80585f6e6483397d1a1cc2b54128039492752afed0e27d385a7c0f3eed3b0b2b33bfd73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\qsml[1].xml

Filesize
502B

MD5
480683201943cdb15f9a8989ccce62b0

SHA1
26ecc822c941284a145415dc37ed6c9bcfded2e3

SHA256
172089e371a4d061e95ec95b17d65bfd82260233c03c5644b78bee50cdd62c19

SHA512
12efc51ea3225b2ade11fd97ab56f6d4ab0ea7aa4afe275fc8aa46afcfb591fec4726120000413752b794552cb2f4eb3c8fe88a06c1a4362233a4c0be44b6880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\qsml[2].xml

Filesize
507B

MD5
7bfac51367fa0ca0ffa293918de95955

SHA1
f4537d7f3f8062b201264fd7f92b224996ef1404

SHA256
aa3d4dc23ad5fc405f02544bbd82a6993325ee192b8e33d675b8d486fa5bd3b3

SHA512
ee8d2e4dee5fe2a7432b4c5f40a716a88530c4804cf3b7724e1dac2ec54990ede0c75d9d48eafe68f65ceadebe8ceef9ba72fd69146162748f4d4153cdb63850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\qsml[3].xml

Filesize
567B

MD5
1e324f16d4b8a24b32e3bc10a57c94d6

SHA1
1d81db0ce16698cbea4a0b29f4f1ee85901f713b

SHA256
89f4564832485db6f40726488195fff267a9f7833a6932952b133977f8620c35

SHA512
1c6a953d95942ae26cc9cd65ed649072a7007c30c90fb959fca1c32e6b4b732b765185732ad341f5fb9336cc94c10d62d4b12353799c6a305eb15b772bdd718b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\qsml[4].xml

Filesize
471B

MD5
300beda44564574e9c7991504ab3e0f3

SHA1
f5aa186c336d5068c4c6b791372729f8d19b31f9

SHA256
799694f7809e5b967fbcec9cac99c26f5523c481186a97fa653f9d56a74905f1

SHA512
583402ccbe64db619e398b6a9f59b874e15620199b19d4284cc1c86ce57c14009d1f46ea7b8ac17f96223af2d05b48b5ddbc626a1f169a742c047c53943c7cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\qsml[5].xml

Filesize
475B

MD5
2561152c111ed1bf1704b958bab6db08

SHA1
e35bc077944366837b834ea20e13fbdf86d60432

SHA256
9035c0e42aa2e4058000112b47d4e1167b43186611d1cb4ae829bafd3631e98b

SHA512
ad4ad2aa850b051d62e11442178f8c09c827c01964d92123c2bcc3598719784f8962630b5703bffc9800b5b6f9c47a2f922cefeabf5604cecbbd534fca1d4336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\qsml[6].xml

Filesize
493B

MD5
9b9ed1036cfe2e6c701228eeb857573c

SHA1
a26099e873031acda749700172b37d6daa084bd1

SHA256
17c5661fb7a4fc36974dc3d39d0d147038215dcab4ca8b2a1f95089d16f4f6bc

SHA512
829abe60e0b19773678272945fe255827a358d3e1437688c9adec9988ec8cbfe3b4ade98d1ffacaa9492ba57394e778a5424a8bda5e00ea0ddbbb756a655fd9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\qsml[7].xml

Filesize
517B

MD5
6b38b115f758151baad14a7e192bc809

SHA1
63ff883ca40f2bcfbadf7287769b8394e221d713

SHA256
fa243daf28a3f1c9e0a746721f9a8f8583882b72b87f222f377ec7c7ee8c8de5

SHA512
2f205a6bfe23e5eb3c2e04adcca2fdd1666f5a88e12bcd72068f518a7e52bb684b6f0b8763421654842dfe34f27a153a4b8aab6fd9bb3eb0634b6bdedd0aa974

Download Submit
C:\Users\Admin\AppData\Local\Temp\UggkEEgU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr5ADA.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr5ADA.tmp\WebBrowser.dll

Filesize
103KB

MD5
b53cd4ad8562a11f3f7c7890a09df27a

SHA1
db66b94670d47c7ee436c2a5481110ed4f013a48

SHA256
281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec

SHA512
bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr5ADA.tmp\profile_cleanup.html

Filesize
1KB

MD5
1cb97b5f8c5f2728b26742d1d0669899

SHA1
bb5ab1b8c00810fcb18184a996573c5accdc72c3

SHA256
dec82e9caa154300e1aa44f550c16b455a2025be4fb1c3155cb75fe04a6b6611

SHA512
768ed2b070485f3bbcf457aefdc0ef8f1737ad8ac4a2703e2feaff424f9a2c69a2f5928a3be898932ef4976a44ea829a099d090bd9941a24d045d5c8ac8b7b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr5ADA.tmp\profile_cleanup.js

Filesize
1KB

MD5
d845e8f4c0edb3cab17e6a30090ac5b8

SHA1
654f058570f0868f0acc5f0595147f3385a9c265

SHA256
1adcfdd9768242c6c639b10e4f0bcda24f6a957a169c1dede265e40336ecbd4f

SHA512
401d800c484b74401b90c3285d8b6cc0018baf4979d6ec7bb174f7810d3f60adfa6b4cebeafcee20d5a7c3597447f755af19c5fecf1863e2438fe427dbdf9fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr5ADA.tmp\stub_common.js

Filesize
815B

MD5
efce3dce0165b3f6551db47e5c0ac8d6

SHA1
1e15f6bb688e3d645092c1aa5ee3136f8de65312

SHA256
dab39cbae31848cce0b5c43fddd2674fef4dea5b7a3dacdaabdc78a8a931817e

SHA512
cec12da07f52822aaed340b1b751153efa43e5c3d747fa39f03bb2800bf53e9416020d654a818a6088acb2cf5581714433d818537f04af150e6bfb6861c03988

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\138571738014459.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\CQMC.exe

Filesize
816KB

MD5
4840b86330a256fd4efc7fd35f39ca11

SHA1
3b10a89279f49e594e06902d5c31097a0dd2412f

SHA256
0512f5347e4bab0872948cdf576bae38d3942ed4ba191b245a186b6092c1996f

SHA512
c9996da67769ea906bf019eef4ffd6005a9446716096f7e6eecde5aa128f8d215d095182627f3afa14ff89ca54c42b4259897f6e3866b54a85ee413ec3ca2f56

Download Submit
C:\Users\Admin\Downloads\Ekki.exe

Filesize
226KB

MD5
55ddd2473f8c712e9a98d1b424af948d

SHA1
aec501130d5ca0f9be9d3074a300958dd0ba45d6

SHA256
aa7bad0b1b5844d642e05da3f88df65f8531c952ed03c963dc31e691d6131905

SHA512
2d9bc79420e220e4a718db9a492a21133a20a49619a723b0b90c7f9760f42e216529da4488300ce17b1a9cfabfcc6a03a9def4b351b5b1e765ba41139002b162

Download Submit
C:\Users\Admin\Downloads\EsQc.exe

Filesize
437KB

MD5
ea17d9153113326fb7a748eb5cd83a49

SHA1
b95fe10ff947b675c603d9899b8b294926917e94

SHA256
68cf3d3804acd7821dc38787d7cb3a92f1a838134914697dbb3202e7b66a83c5

SHA512
3f482d57b249af9c6383e2d4497625926476b31cfe034102c3799c1c8ae56bdda76d29f8a54abe9d3236491307121083a2e9b7a5d477fedf86b27a6b8172cc91

Download Submit
C:\Users\Admin\Downloads\GMMq.exe

Filesize
223KB

MD5
497079b2705359ebfdeab5033f75e6e1

SHA1
61832e473bb183247ac998e9e7fce39cd5ddd482

SHA256
9d41c43da38f02e4255a01262503ec4c88f0cb2934f74cc3fcc9595b92065061

SHA512
0c9ed868aa96b176fbd70c20c49412f076737b87fdc076cdd5b61ef8b8ba1e6e9bd9c7c580bce5246ad275b2a1e0db822f7cc85fb4f1b3ebfa3062532ff5bc5f

Download Submit
C:\Users\Admin\Downloads\IEwI.exe

Filesize
1.7MB

MD5
e99c57351d8abd1391aa2d66338e1ee6

SHA1
8c894fad137d4cbd01ed89ba4ada9750d62704b8

SHA256
c752e37bc6415f6bfb2ef32b6dd10ba1c1e1507cc3c71c5a95af4e391f312b0b

SHA512
04881abbf16a269c1afde424e329c2888e6ad452e0cb467e8e14fcdd28452af6fdeadf37fd66dda66e69cd83e5b245a20d8a61e40e688c70ab51946d4af07955

Download Submit
C:\Users\Admin\Downloads\KosW.exe

Filesize
638KB

MD5
5bab3e8a73638aec56a00e31354656c6

SHA1
fa307608d3306dcf94fa1f5485d993144379ea9c

SHA256
0b75656057be68d4d1ee9fcbe75286c62c10691d26896e9a55581633ea877158

SHA512
a75527caba8d9958f96bafdf19667e2d1be9624cd98f270e6df09c1352f36df56a94d85206e49baf58e631cdfd266e4eaf7f4984441bd209dac987754cc6f5fd

Download Submit
C:\Users\Admin\Downloads\QYYw.exe

Filesize
213KB

MD5
609192550be01fec984c71eda39298c3

SHA1
5ca21319093ae22d55e76c3f6a21b7f60bddd292

SHA256
df15d6539201af32273264852348a12b669605d3cab01317b568364449f3ecdf

SHA512
d696df87de6a4d65973d38fa3a397d5a27263e7ebd26f099dda2162613676c707267e178c981b7f86a6a3ecc6691aabfea1b4c1836cc3de58d1603dc4e0caaca

Download Submit
C:\Users\Admin\Downloads\QYoI.exe

Filesize
643KB

MD5
40abe571956c0d7ccaeb5989941a0a65

SHA1
0998042ca039016cdad89daa3a157c602d2c7e86

SHA256
7515033fe5c0c732b3ba306a37fa4f7e0a273c4560903ad8222764839c7c58de

SHA512
e3ea6724ad95eae1e765c69094553d047b69102abc3e671a788dacdcfb81dba0e59ae197906f23085067c40c7fa7864a9bcb7c6618c80b1f5f51fe0660896648

Download Submit
C:\Users\Admin\Downloads\SAEi.exe

Filesize
224KB

MD5
3926d17fb672f24482e61a50f2b1d9a1

SHA1
82e3af6c5a395b1c1ab1cd695751a227c8c82ee1

SHA256
7668070619cab9635e1e213cbddf7df5285e635275985912b7fdbe11a2bf51df

SHA512
aad3e59b795b32ac999937edb87bfce3c86fb17586ce6eed01f3adbc632b935c73455d32a759dce61d1287a20696ed922aac000fe0df6d15d2bc498556d86467

Download Submit
C:\Users\Admin\Downloads\SQsY.exe

Filesize
640KB

MD5
99ceb4997c83bc2a12f6a62123db0d87

SHA1
3eb5fe6f4a32a8cad28fe968178c8da50e9c2c2b

SHA256
839cde3cdb5ee402067b486f0e286de22f14ef2a478bf9873a0008e4ce1e9619

SHA512
625e3b9ea673fd6565953ece0569cbf2566af71ec0635e8ae3ec268f6f76185d0b19d148507e2bffc79d64d9637f108eefe20cc04f38282efddd42113af97eeb

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 174732.crdownload

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 235815.crdownload

Filesize
211KB

MD5
a933a1a402775cfa94b6bee0963f4b46

SHA1
18aa7b02f933c753989ba3d16698a5ee3a4d9420

SHA256
146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc

SHA512
d83da3c97ffd78c42f49b7bfb50525e7c964004b4b7d9cba839c0d8bf3a5fe0424be3b3782e33c57debc6b13b5420a3fa096643c8b7376b3accfb1bc4e7d7368

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 500431.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 888428.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\Downloads\Wocm.exe

Filesize
317KB

MD5
50aa55f1bb3a108611e0ee5336cbe430

SHA1
da974e63d90266bbf555ba4bac3d89c292bad35a

SHA256
739f9b22c2d2f4e9152d1e576cb80e9c7f10ce42057e18812e88dd245f75e1a0

SHA512
59c26e5463ec0221a8325d6399bb4224d5e2ea2075024a9c17913af88b947fe1ea761a436ae0e83c109cfb7fc348d99cfa86b897be3290583b7f695b6dedf460

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\cIQo.exe

Filesize
222KB

MD5
baa54a6a491481a2c4b94e13e8f74d6e

SHA1
8cd13e36b7013bcab0bc1bf378f102426d4cf12b

SHA256
d7d7be4be35237bcd4a1215fdbfc9f7e9e5a01c030e2ccd40f1b209961133848

SHA512
53e93f3f1be88780bf0e68a8282cbd3494273b64fe2a8728164fbc89dde0081e7564c52518e4af9999c18bc86c43bde80e8d6dedc810378be301cbdfadaaa640

Download Submit
C:\Users\Admin\Downloads\cYQi.exe

Filesize
1.5MB

MD5
17c7e1834a8b7e8f97da890d824d8ed4

SHA1
a30d7c8a8582cecfdea00a5de109547c56e45ac6

SHA256
7a34f565fb6b3946dfc7e47311c7d8927da52e6e2747ab9abd5d174211e3c4bb

SHA512
796d7784aa4d57f733176a96e0598bd7e8ed4763d6a70ad548898613fc865f81fb9168178ed52f4f65bbbe27e1981977809971db46dfa5418b3b9fbe30de51f8

Download Submit
C:\Users\Admin\Downloads\ekIG.exe

Filesize
809KB

MD5
0e6e6d4ac9dcdfbb55c2c45797b11f5f

SHA1
af8dc12ea937f672e466c737bef740a8c9b1b2d5

SHA256
4e92c6c7c9f1d51f97129d6c2c0a7a1f1cee90207240c9885dc386e012c0f212

SHA512
21b39a10a7ebf82d8700c910d48df5cb9f84b43b7146f2d48e73745e584c6fe397324fc15d58518f8ce0a45d97ed7111e6b6d1ac9d162f20ee0076ec6c55600b

Download Submit
C:\Users\Admin\Downloads\gsAa.exe

Filesize
654KB

MD5
ac171fd5728480e839e81ef9b534bdf0

SHA1
57a32061fea724a8f1bb478e1a05c44d482a09dd

SHA256
10fe41bb32fd292244ca94ec8efa3fcac9822ac333b4e1d660595301613eb4f5

SHA512
888370a1e4bd60563a8c863d85e774233f71a1052e95adbf86980d33b23223e003c89eecd44cad3554cc4c7160ccb24ae98c61fe504ff6092b6de2b4ddc6cd30

Download Submit
C:\Users\Admin\Downloads\iYIU.exe

Filesize
818KB

MD5
3c0d7797e4b7c8ba69fd6d9dbf040d8a

SHA1
5acff1d3ed30acd2b1b329354a13572907efa8dc

SHA256
05a9a52ee4b31f448e3edfcd406df8b06f0811318b99f260e582045a1f5c243d

SHA512
aff4adab52d78727de881b1ce6b327ba56dd408f029d7380bf1ef0ce1b84540c64b9d8fdaee1633549fda4f2a78462d33a813f628d529984fffccdc9c0eddf71

Download Submit
C:\Users\Admin\Downloads\kAMu.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\oUIm.exe

Filesize
812KB

MD5
5fa7db29afc8a23a170571bc0da6ce66

SHA1
08e302905d84eedf4419b7cd4975150d1f2e1f5a

SHA256
a19573ad7a561d7675839fe8f4e5f1bf22381d834b0a3718c099a3a0a11d4d90

SHA512
a02f6c98a5c32c716aee7b67bab4ff9a92ba2254d024cebd4b21812be778522885cba437a36b20842bdb9d0e0f81c94ae32872427fa7e76a5860a15d2ad1d703

Download Submit
C:\Users\Admin\Downloads\oUQA.exe

Filesize
324KB

MD5
4e04da6f4f30ed7cdc88664d302dac6b

SHA1
a66bf9a8b2dc43a063e3b874f94f014b71503f4d

SHA256
d3085279b0f8076ab0079fed25e70367a3877d4f192592ee1816f66b70e9f45f

SHA512
e86068dac9e6e4f7009bbb168ba9de1f423fe1c1599dc9be355d80f23adeb031338c8ebb7ef7aaf47ab28a61ea0f03972df1201443fa0ae93d8c9f0bea0857b0

Download Submit
C:\Users\Admin\Downloads\osQE.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\yIMK.exe

Filesize
234KB

MD5
7df4f97366ce93aa9492332ffb93998d

SHA1
a5de270decc7fcc437a904c9dd27630332f1ac73

SHA256
e9b0250dc065d64541458c80cb3e6720f3b6770557462ff2d27e8ac34d3e54a5

SHA512
3da6e9febae5b10b87bdc940b7c647c83d68951c4e2050ee21ff506875488dcda1c11387fc560bbbc2249cf2ae0bfff5cf1de5fe3e41efb6bd4b5e6d76f4f8ca

Download Submit
C:\Users\Admin\GQQcAAII\DigksUsI.exe

Filesize
179KB

MD5
8d7adfac0bd019bab762f4003d928488

SHA1
02fcdb625e90e6de6958d19063df6063bc0c4737

SHA256
65960f5891ddf8bc503c6f03d8408a69e5bfe83128bb144f7a9f8e5e55dc7743

SHA512
c7df909df6538e4a14db35da942d6763fc054288133548cfcd561951f4fa5ff82c2d33f3bce5ae0359a91aeb0e69c9293aa346b69fecb8de20aac01a26379c2b

Download Submit
memory/376-2961-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/712-2738-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/712-2730-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/784-2854-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/784-2861-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1480-2494-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1532-897-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-933-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-1050-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-965-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-1087-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-3347-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-2014-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-2877-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-1099-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-893-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-3531-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-3572-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-3505-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-999-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-925-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1996-1317-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1996-1236-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2000-2962-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2000-2972-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2004-1112-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2016-3049-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2068-2749-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2068-2739-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2216-1153-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2216-1977-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2548-924-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2548-929-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-3212-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2552-3129-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2560-2801-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2688-2757-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2892-2917-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3048-894-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3048-891-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3048-895-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3048-901-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3048-898-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3104-1157-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3104-1167-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3124-1140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3124-3562-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3368-1143-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3368-3565-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3620-1111-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3620-1149-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3628-3025-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3872-1179-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3872-1244-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3876-2438-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3876-2707-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4004-3001-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4004-3008-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4040-1602-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4040-1649-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4176-2909-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4176-2899-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4696-2871-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-1405-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-1184-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-1168-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5124-2934-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5124-2922-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5152-3545-0x00007FF8837A0000-0x00007FF8839AB000-memory.dmp

Filesize
2.0MB

Download
memory/5152-3542-0x00007FF897170000-0x00007FF897181000-memory.dmp

Filesize
68KB

Download
memory/5152-3548-0x00007FF893DF0000-0x00007FF893E11000-memory.dmp

Filesize
132KB

Download
memory/5152-3549-0x00007FF88E370000-0x00007FF88E388000-memory.dmp

Filesize
96KB

Download
memory/5152-3550-0x00007FF886880000-0x00007FF886891000-memory.dmp

Filesize
68KB

Download
memory/5152-3551-0x00007FF886860000-0x00007FF886871000-memory.dmp

Filesize
68KB

Download
memory/5152-3552-0x00007FF886840000-0x00007FF886851000-memory.dmp

Filesize
68KB

Download
memory/5152-3546-0x00007FF888D80000-0x00007FF888DC1000-memory.dmp

Filesize
260KB

Download
memory/5152-3537-0x00007FF8842D0000-0x00007FF884586000-memory.dmp

Filesize
2.7MB

Download
memory/5152-3538-0x00007FF89BAD0000-0x00007FF89BAE8000-memory.dmp

Filesize
96KB

Download
memory/5152-3539-0x00007FF898090000-0x00007FF8980A7000-memory.dmp

Filesize
92KB

Download
memory/5152-3540-0x00007FF8979B0000-0x00007FF8979C1000-memory.dmp

Filesize
68KB

Download
memory/5152-3541-0x00007FF897190000-0x00007FF8971A7000-memory.dmp

Filesize
92KB

Download
memory/5152-3543-0x00007FF8970A0000-0x00007FF8970BD000-memory.dmp

Filesize
116KB

Download
memory/5152-3544-0x00007FF895590000-0x00007FF8955A1000-memory.dmp

Filesize
68KB

Download
memory/5152-3547-0x00007FF8819C0000-0x00007FF882A70000-memory.dmp

Filesize
16.7MB

Download
memory/5152-3535-0x00007FF6AFD30000-0x00007FF6AFE28000-memory.dmp

Filesize
992KB

Download
memory/5152-3536-0x00007FF89F240000-0x00007FF89F274000-memory.dmp

Filesize
208KB

Download
memory/5156-3035-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5156-3026-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5204-1529-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5220-4453-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5220-4377-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5240-2953-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5288-2872-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5288-2881-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5440-2844-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5484-2015-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5484-2152-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5528-2926-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5532-2980-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5568-2719-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5568-2727-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5580-2999-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5580-2990-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5584-2802-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5584-2825-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5672-2783-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5672-2773-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5684-2852-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5692-1539-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5772-2771-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5772-2761-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5820-2988-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5868-2945-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5868-2935-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5976-2889-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6012-3040-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6012-3081-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6028-3016-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6092-2716-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6096-2782-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6096-2790-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6128-3148-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download