hxxps://go[.]enderman[.]ch/repository

Resubmissions

22/02/2024, 09:45

240222-lrcmhsfh69 10

21/02/2024, 16:36

240221-t4e76sbb3y 8

21/02/2024, 15:26

240221-svfa5shh4z 6

21/02/2024, 15:19

240221-sp5nvaad77 10

Analysis

max time kernel
86s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://go.enderman.ch/repository

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 64 IoCs

pid	Process
2092	qoowkYwM.exe
4588	zIYwgAQc.exe
1156	[email protected]
864	[email protected]
4960	[email protected]
1140	reg.exe
2720	[email protected]
4500	Conhost.exe
4684	[email protected]
3672	[email protected]
772	[email protected]
3724	[email protected]
5096	reg.exe
2968	reg.exe
3060	Conhost.exe
1156	cscript.exe
3752	reg.exe
1776	reg.exe
376	[email protected]
652	[email protected]
4060	[email protected]
976	cmd.exe
3248	[email protected]
4488	[email protected]
3704	Conhost.exe
952	Conhost.exe
2288	cscript.exe
3464	Conhost.exe
1472	Conhost.exe
5064	[email protected]
1004	Conhost.exe
396	[email protected]
4724	Conhost.exe
1108	cmd.exe
576	[email protected]
5016	cmd.exe
4480	reg.exe
376	cscript.exe
60	reg.exe
3248	Conhost.exe
180	reg.exe
2424	Conhost.exe
4252	cmd.exe
696	reg.exe
1776	reg.exe
4456	cmd.exe
652	cscript.exe
5012	reg.exe
1960	Conhost.exe
1480	cmd.exe
3268	Conhost.exe
3424	Conhost.exe
3596	Conhost.exe
1072	Process not Found
3688	Conhost.exe
3996	cmd.exe
2772	cscript.exe
1200	Process not Found
4860	Conhost.exe
5016	Process not Found
4296	Process not Found
3704	Conhost.exe
4868	Process not Found
5000	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoowkYwM.exe = "C:\\Users\\Admin\\ZyUoAUYQ\\qoowkYwM.exe"	qoowkYwM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoowkYwM.exe = "C:\\Users\\Admin\\ZyUoAUYQ\\qoowkYwM.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zIYwgAQc.exe = "C:\\ProgramData\\iuIUcggE\\zIYwgAQc.exe"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoowkYwM.exe = "C:\\Users\\Admin\\ZyUoAUYQ\\qoowkYwM.exe"	qoowkYwM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zIYwgAQc.exe = "C:\\ProgramData\\iuIUcggE\\zIYwgAQc.exe"	zIYwgAQc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoowkYwM.exe = "C:\\Users\\Admin\\ZyUoAUYQ\\qoowkYwM.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	[email protected]
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	[email protected]
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	[email protected]
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
58	raw.githubusercontent.com
39	camo.githubusercontent.com
40	camo.githubusercontent.com
57	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TMky.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\RAYW.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\UsQC.exe	Process not Found
File created	C:\Windows\SysWOW64\IgQA.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HMgI.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\gYoG.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\sYgW.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\rAAA.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\aQcE.exe	reg.exe
File created	C:\Windows\SysWOW64\QMUG.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ccsS.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\tsAo.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\EEkU.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\fIEA.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\gwAi.ico	Process not Found
File created	C:\Windows\SysWOW64\WMoE.exe	Process not Found
File created	C:\Windows\SysWOW64\cgEc.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\FYAC.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\QMUG.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\AYsa.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\vEEC.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\nsgC.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\Rsss.exe	Process not Found
File created	C:\Windows\SysWOW64\rIgG.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\BAIe.ico	Process not Found
File created	C:\Windows\SysWOW64\bgQM.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Akkw.ico	Process not Found
File created	C:\Windows\SysWOW64\tAEa.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\FIAE.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\ucsa.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\vIYm.ico	Process not Found
File created	C:\Windows\SysWOW64\jMQw.exe	Process not Found
File created	C:\Windows\SysWOW64\qsAw.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\RcMy.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\PsYU.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\OYwa.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\AQoC.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\IkME.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\ygwm.ico	Process not Found
File created	C:\Windows\SysWOW64\ZUMM.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\uUUy.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\qwcg.exe	Process not Found
File created	C:\Windows\SysWOW64\Hoom.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\rIgG.exe	Process not Found
File created	C:\Windows\SysWOW64\uUUy.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jMge.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\bgQM.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\TMky.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\VwUO.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\oMQK.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\PIce.ico	Process not Found
File created	C:\Windows\SysWOW64\qwcg.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\EYME.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\wokc.exe	Process not Found
File created	C:\Windows\SysWOW64\gYoG.exe	Process not Found
File created	C:\Windows\SysWOW64\AQoC.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Roke.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\cgEc.exe	Process not Found
File created	C:\Windows\SysWOW64\xUcI.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\wsgy.ico	Process not Found
File opened for modification	C:\Windows\SysWOW64\PsgA.exe	Process not Found
File created	C:\Windows\SysWOW64\EUIs.exe	Process not Found
File created	C:\Windows\SysWOW64\iMEs.exe	Process not Found
File created	C:\Windows\SysWOW64\Rsss.exe	Process not Found

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
644	reg.exe
3992	Process not Found
2904	Process not Found
2680	Process not Found
976	reg.exe
1136	Process not Found
2024	reg.exe
4456	reg.exe
3872	reg.exe
2904	Process not Found
4796	Process not Found
5116	reg.exe
3956	reg.exe
652	reg.exe
4256	Process not Found
3760	Process not Found
3688	reg.exe
3676	reg.exe
1668	reg.exe
1228	reg.exe
4932	reg.exe
3680	reg.exe
4128	Process not Found
392	Process not Found
1464	reg.exe
2092	reg.exe
2116	reg.exe
4428	Process not Found
3184	reg.exe
2320	reg.exe
3900	reg.exe
724	Process not Found
4868	reg.exe
3980	Process not Found
1552	reg.exe
3688	Process not Found
4472	Process not Found
5004	Process not Found
4668	reg.exe
3076	reg.exe
1536	Process not Found
2708	Process not Found
3556	Process not Found
3428	Process not Found
228	reg.exe
1692	Process not Found
1748	reg.exe
4480	reg.exe
4460	Process not Found
3092	Process not Found
1200	reg.exe
3484	Process not Found
1748	Process not Found
4352	Process not Found
2244	Process not Found
2116	Process not Found
1384	Process not Found
2904	reg.exe
3380	Process not Found
228	reg.exe
1692	Process not Found
1504	Process not Found
4564	Process not Found
1828	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
964	msedge.exe
964	msedge.exe
4388	msedge.exe
4388	msedge.exe
2152	identity_helper.exe
2152	identity_helper.exe
4960	msedge.exe
4960	msedge.exe
4240	[email protected]
4240	[email protected]
4240	[email protected]
4240	[email protected]
2860	[email protected]
2860	[email protected]
2860	[email protected]
2860	[email protected]
1556	[email protected]
1556	[email protected]
1556	[email protected]
1556	[email protected]
1156	[email protected]
1156	[email protected]
1156	[email protected]
1156	[email protected]
864	[email protected]
864	[email protected]
864	[email protected]
864	[email protected]
4960	[email protected]
4960	[email protected]
4960	[email protected]
4960	[email protected]
1140	reg.exe
1140	reg.exe
1140	reg.exe
1140	reg.exe
2720	[email protected]
2720	[email protected]
2720	[email protected]
2720	[email protected]
4500	Conhost.exe
4500	Conhost.exe
4500	Conhost.exe
4500	Conhost.exe
4684	[email protected]
4684	[email protected]
4684	[email protected]
4684	[email protected]
3672	[email protected]
3672	[email protected]
3672	[email protected]
3672	[email protected]
772	[email protected]
772	[email protected]
772	[email protected]
772	[email protected]
3724	cmd.exe
3724	cmd.exe
3724	cmd.exe
3724	cmd.exe
5096	reg.exe
5096	reg.exe
5096	reg.exe
5096	reg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3508	taskmgr.exe
Token: SeSystemProfilePrivilege	3508	taskmgr.exe
Token: SeCreateGlobalPrivilege	3508	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	Process not Found

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 2500	4388	msedge.exe	22
PID 4388 wrote to memory of 2500	4388	msedge.exe	22
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 4900	4388	msedge.exe	86
PID 4388 wrote to memory of 964	4388	msedge.exe	87
PID 4388 wrote to memory of 964	4388	msedge.exe	87
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88
PID 4388 wrote to memory of 64	4388	msedge.exe	88

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.enderman.ch/repository
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d64a46f8,0x7ff8d64a4708,0x7ff8d64a4718
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,17018796036738982179,6177754092372892417,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,17018796036738982179,6177754092372892417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,17018796036738982179,6177754092372892417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17018796036738982179,6177754092372892417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17018796036738982179,6177754092372892417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17018796036738982179,6177754092372892417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,17018796036738982179,6177754092372892417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,17018796036738982179,6177754092372892417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17018796036738982179,6177754092372892417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,17018796036738982179,6177754092372892417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,17018796036738982179,6177754092372892417,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:4732
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:3268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4240
- C:\Users\Admin\ZyUoAUYQ\qoowkYwM.exe
  "C:\Users\Admin\ZyUoAUYQ\qoowkYwM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2092
- C:\ProgramData\iuIUcggE\zIYwgAQc.exe
  "C:\ProgramData\iuIUcggE\zIYwgAQc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
  2⤵
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
    C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
      4⤵
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        6⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        8⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        10⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        11⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        System policy modification
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        12⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        13⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        14⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        16⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        17⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        18⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        20⤵
        
        PID:576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        22⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        24⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        25⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        26⤵
        
        PID:3280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        27⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        28⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        29⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        30⤵
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        31⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        32⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        33⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        34⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        35⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        36⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        37⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        38⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        39⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        40⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        41⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        42⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        43⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        44⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        45⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        46⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        47⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        48⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        49⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        50⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        51⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        52⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        53⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        54⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        55⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        57⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        58⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        59⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        60⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        61⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        62⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        63⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        64⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        65⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        66⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        67⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        68⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        69⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        70⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        71⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        72⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        73⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        74⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        75⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        76⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        77⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        78⤵
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        79⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        80⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        81⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        82⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        83⤵
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        84⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        85⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        86⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        87⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        88⤵
        
        PID:1672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        89⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        90⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        91⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        92⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        93⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        94⤵
        
        PID:1784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        95⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        96⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        97⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        98⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        99⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        100⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        101⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        102⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        103⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        104⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        105⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        106⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        107⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        108⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        109⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        110⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        111⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        112⤵
        
        PID:3388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        113⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        114⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        115⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        116⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        117⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        118⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        119⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        120⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        121⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        122⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        123⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        UAC bypass
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        125⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        126⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        127⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        128⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        129⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        130⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        131⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        132⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        133⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        134⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        135⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        136⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        137⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        138⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        139⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        140⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        141⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        142⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        143⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        144⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        145⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        146⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        147⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        148⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        149⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        150⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        151⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        152⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        153⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        154⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        155⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        156⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        157⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        158⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        159⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        160⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        161⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        162⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        163⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        164⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        165⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        166⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        167⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        168⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        169⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        170⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        171⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        172⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        173⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        174⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        175⤵
        
        PID:2964
        
        C:\Users\Admin\ZyUoAUYQ\qoowkYwM.exe
        
        "C:\Users\Admin\ZyUoAUYQ\qoowkYwM.exe"
        176⤵
        Adds Run key to start application
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        176⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        177⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        178⤵
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        179⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        180⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        181⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        182⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        183⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        184⤵
        
        PID:1528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        185⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        186⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        187⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        188⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        189⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        190⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        191⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        192⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        193⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        194⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        195⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        196⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        197⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        198⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        199⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        200⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        201⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        202⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        203⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        204⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        205⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        206⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        207⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        208⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        209⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        210⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        211⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        212⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        213⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        214⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        215⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        216⤵
        
        PID:2840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        218⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        217⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        218⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        219⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        220⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        221⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        222⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        223⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        224⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        225⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        226⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        227⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        228⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        229⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        231⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        232⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        233⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        234⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        235⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        236⤵
        
        PID:3116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        UAC bypass
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        237⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        238⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        239⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        240⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        241⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        242⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        243⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        244⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        245⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        246⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        247⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        248⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        249⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        250⤵
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        251⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        252⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        253⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        254⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        255⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        257⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        258⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        259⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IscgkAUc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        258⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:3320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUgAUswk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        256⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKggAkII.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        254⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmMAsAAw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        252⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iocwMgkM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        250⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuoAcwUY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        248⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyIQAgEI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        246⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        Modifies registry key
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQYMEMwY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        244⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaAcwcMo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        242⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkAYggYY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        240⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xygggssk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        238⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies registry key
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQgQoUgI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        236⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies registry key
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwQwcIck.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        234⤵
        
        PID:1472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmgIAcYs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        232⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:2828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcMAYkII.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        230⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwUockgM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        228⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saQQIkIA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        226⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmckcwMI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        224⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOssIYgc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        222⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWIsUYwM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        220⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        UAC bypass
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwwgAYQw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        218⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        Modifies registry key
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQMYAwwY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        216⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        UAC bypass
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKocckAk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        214⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWcYIYQU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        212⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKEwsQYI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        210⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggcgkUAU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        208⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        Drops file in System32 directory
        Modifies registry key
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOUQUQgM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        206⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:3688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        UAC bypass
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykMoIoUw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        204⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQYEkwEM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        202⤵
        
        PID:1496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkwwMkQw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        200⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        202⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAYcIkgg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        198⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACQYEcQI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        196⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCkMYQwg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        194⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgYgAcsw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        192⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEAMcgkw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        190⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcYQEccE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        188⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgYAMgAg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        186⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuoUEoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        184⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmEkQwYs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        182⤵
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SskskYEk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        180⤵
        
        PID:208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        UAC bypass
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQUAkMcU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        178⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASYgEMYo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        176⤵
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:3464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suQgwoIM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        174⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSYwgowk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        172⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        UAC bypass
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VugkkAsM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        170⤵
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSoUwAsE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        168⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMsQEsoU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        166⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iosEIwMA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        164⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        UAC bypass
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIgUwAQw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        162⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        UAC bypass
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UowUYcsY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        160⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PocMYoYE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        158⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCcoEQIE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        156⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies registry key
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYEgMIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        154⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Executes dropped EXE
        
        PID:180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGAUAIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        152⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSYgkUso.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        150⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        UAC bypass
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies registry key
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGoscwcc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        148⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euIMcAMk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        146⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWogoUIA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        144⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIcIMkoA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        142⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIYQsMsc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        140⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKwMcwAs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        138⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmUwcYEc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaUYEAMk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        134⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caUIYEgY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        132⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JoYogMgY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        130⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSUccAgc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        128⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCgYwUgg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        126⤵
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gooQMQcU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        124⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOAQoYMo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        122⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIEsEQAk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        120⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NssgwsUU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        118⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSYMQcUE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        116⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwocMgIU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        114⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCUskgQs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        112⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        UAC bypass
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYUsQUcY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        110⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCEUEkcM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        108⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        UAC bypass
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkkQMggc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        106⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sissgAIw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        104⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqYwYAMw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        102⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSssYcoU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        100⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcwIkccQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        98⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCMQggUE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        96⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWIwcQgA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        94⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XikooQgo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        92⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESMQoAkI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        90⤵
        
        PID:3104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BoYYIEsE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        88⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwgUgIQg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        86⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSMUAwoE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        84⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        UAC bypass
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maYsYksA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        82⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awkwIUog.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        80⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        UAC bypass
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weUMYcIs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        78⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AewEAMcA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        76⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\newwcIUk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        74⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCYMsMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        72⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcQkwswI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuEMEIIc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        68⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQoIMwAA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        66⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcIQMYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        64⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQgQIYQU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        62⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSUsAUok.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        60⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIIYwsoA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        58⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bewwIcws.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        56⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGwcMMUw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        54⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSsoMYIM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        52⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqMYsYgE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        50⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGcEswcM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        48⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGIIMMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        46⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSAUwcYs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        44⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQYgkMgs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        42⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lugcQcEg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        40⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XikosAsw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        38⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies registry key
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwAgkIsg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        36⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:3364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eukkAAgY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        34⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NckEYwAM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        32⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doMAcoYg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        30⤵
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeoosIoE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        28⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmcsMIcc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        26⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkwsAEsI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        24⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msIUQAEg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        22⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waAwUYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        20⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOEMkIMw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        18⤵
        
        PID:1528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CycIQUws.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        16⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUoYEgQA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        14⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWoQcEgk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        12⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        UAC bypass
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoksAcQA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        10⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgYMIAcM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        8⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSksIQUc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        6⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1552
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4960
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4240
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4528
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4668
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seEoYAYw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
      4⤵
      PID:5096
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2424
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYwgMEUU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3104
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2276

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e596357.rbs

Filesize
100KB

MD5
54b21f971b77f657e6482c4d0ebc1801

SHA1
752627a096b1fe6f6560d3571b1cf2b5ec43f6e4

SHA256
463f8ad7648e7b2689df71260bdabad717d053cbafd987247f1ce8b1baeb96ce

SHA512
421fa15a17defdf3c1c2c2752292164c056ead7356a62d5bca924aff3459f8a6f8ee347d87b7e6d6b4ad32b9b3029b83f1252b1ce20002eeafb2a172cbfeee60

Download Submit
C:\Config.Msi\e59635b.rbs

Filesize
101KB

MD5
b0f835d01a6ff60e91f6b6a2838c2121

SHA1
8f18dd06879a7c719e5fbe5431b4b2cd95abba4f

SHA256
21904b5565d7a717624a23be5e96a1ac38e202f80855400954ed27dd8dae8a52

SHA512
97a9237f3834570d3afb7b081ddeb663fd536982c38c278c02cb92035c8fbc34d93e9da90423251b6e5e7891c60b34a5393d7559e020c4fff6186350610e8229

Download Submit
C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav

Filesize
724KB

MD5
bab1293f4cf987216af8051acddaf97f

SHA1
00abe5cfb050b4276c3dd2426e883cd9e1cde683

SHA256
bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344

SHA512
3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49

Download Submit
C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe

Filesize
24KB

MD5
e579c5b3c386262e3dd4150eb2b13898

SHA1
5ab7b37956511ea618bf8552abc88f8e652827d3

SHA256
e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2

SHA512
9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
643KB

MD5
59d67115b0c795791066174596c858ca

SHA1
eff5d78a92a01d73d238dbaf654ff13e972b4acf

SHA256
6a5660637316021ec2aa991885c5239814acd4ea6bc76fdd4d750a31f3af3ce8

SHA512
3f8ffdd9ffeea5e8031dcdb5007bcdad75ea1ed658edb8f5de59d46c4c7d120cc4310a6b39ce42c40a4c52a9eab5962b551d19b0c51b676bf07030c01bbe503a

Download Submit
C:\ProgramData\iuIUcggE\zIYwgAQc.exe

Filesize
202KB

MD5
b5cd730d17b4c247c00576961ba40e82

SHA1
814f6bf82fb79fb569d191570eabc76fbb75b51b

SHA256
ab5aa8ab7795b70594a1cbd9069d8a4049f8b8f63d32f0e166b575a48c7d6e9f

SHA512
9aaff433ad70b00e231d60e813117746307803eef0e12d9ce24c78d82df28fef7e5481fbc4ea5c782109779ddf5a1d03b198f76630b38887a6f8c77e4f958f71

Download Submit
C:\ProgramData\iuIUcggE\zIYwgAQc.inf

Filesize
4B

MD5
76cdc10ffbe8ed8aa5e1ec153776950f

SHA1
4512b3a97c8b87bcbd1cecaf9c0f51f99c69a575

SHA256
e109c66e0ee40762c6e2c04d56af651b9c1eabba5ac352e2c5862993a25b4b75

SHA512
47194fc5865f881c4f1e3eb060a5a8b822bdb8866446fe48f4ae37be6f79637db90b6dc55b5c5795058710adcf111af7aa85a38ac1a0d3476bb006e367b566bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
190KB

MD5
51daee250b79121c0e53e0d81ae9c18a

SHA1
e5c07c4bdff660d098a325018945122994837492

SHA256
7a76e8e44d0e172ea7829169fb6a62666734bb3e99c8e12543ef09f4d70f13da

SHA512
b6b70c0e6b82f2d729dacd0d3d0bc7079e8eb13a5e8e41a470ac1387b8157c098e40abe98ffc9fb09a2d33756533c872ff75c4fa366c852d26fc03df3b6c03dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3bde7b7b0c0c9c66bdd8e3f712bd71eb

SHA1
266bd462e249f029df05311255a15c8f42719acc

SHA256
2ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a

SHA512
5fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9cafa4c8eee7ab605ab279aafd19cc14

SHA1
e362e5d37d1a79e7b4a8642b068934e4571a55f1

SHA256
d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166

SHA512
eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f26ced459b91696e1496ee7afd1c5c5e

SHA1
2e98db2b0505137ff951e9b249a86b69137fdafa

SHA256
5fd486f9c97143a11dae9a4993f8460303f6e6bfd7144f8f057bdb0893c5a730

SHA512
d42c419fc61259d12ca1b109888392eb3ef46f659c2dda72324fa52c7ff68b26aeeaf6876b9040e045639ecb8194a895e30383bd5410f63e449e22594748b8a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
735B

MD5
2ccca32ddaa877f737ad0fa7338fc87d

SHA1
5b0a508942f92e7038db6fd96696040d12fedc81

SHA256
e259a894219fede63b6949ea9e48a6173e1990f7fe0657918021e2e00a668882

SHA512
e3b3038895d189f17d8db9366eb17ad8570b9f7e9b4a07ab6e8c32edc242cce92dce88379c8efaf7402b82b7974e53a072d6cfc9b6f56ccd667c5ca146a7dcd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d96ab4e029fe94dda10ac6ec795f5d6

SHA1
f60c90d227d707d493ac03a462ce804edeaeec80

SHA256
425b82720a47238ca0ce10cd20eb3318914cbf6e30df6accb946481c4eef16ae

SHA512
34331edbe64e15a6e3270660a503cceeb770439af7d52c74e29c5a3d231021aa8c635d5cf79eb2cc019e1c49567a13a1d879e7703ac10268eec00d668032a3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4130a78687645c781770d6683c8c004e

SHA1
bedcd6934eab3a1b548e4b0da0b6a693b6606182

SHA256
9f53582b17ab4cb61e84176d4ee0c27fa80151042644fe0699b6ffe91dba6baa

SHA512
c4825b1479491f0c2f52f87d853be5c0db435d9e8b2b8076d469577194b55f4fa303ce8f1b9669e953a33d9bb74e795d9d3fef2a07117d1ad6df7134c0a6d5c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
08dab2755a7a962f41dc59c9326e88dd

SHA1
0517cf5353f2e8c29d0aa3d8bd23bf32efa798f5

SHA256
a9d3bd128fd9a3c7bdc999aabfb3f3bba952a37add53f22860428263baea1217

SHA512
d6df004661c0afc390529428456469eb7fb7d6259ba2dbe73ab9c8f901606362d6ff0e8872441f9123a2525d7098ffc4fe838e97c5f66cfe2bb2bd1ff87919d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0a167fe68c8549447cf20b1a4b2f379e

SHA1
af3436de19267e64be051c53607ae1c5a9f478c7

SHA256
7e33c23269e99ec58dca29d857b5cedc22173e826ed98a12d05cbb18b8b0f154

SHA512
998e10de8b28db8babc72724d7970aac6cdc68754bece2aeb5627037a3547d40cb7d7829ffc8dbf3f303d11a3ced1cd8ea69883ffb8bbe1c9655b8561809c50c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b872ca8eb1efb1eeb0f1026a405c0da1

SHA1
2d10b6f026e68975517b51a64073b7aebf46624c

SHA256
27e0c3864b012c7525f233ea1a08881c59b13dbad86c345d1030f7dc4f175ae7

SHA512
23d3768e7cc5656d87e93e022a91af7a4689e196efb8c0bec51752848953a9f68918b65d49b314765ed1c549f0265b1076b3d14a8686129dd1554ef0a28eab36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4720def64bcadd8c71ecd5b3195ae825

SHA1
6c8d0955e0531cb7016fb3475bd39068931ef204

SHA256
e70709745b343ff2f69e46e6747a3a70ccf32de8f9aa8b57301d8783e4b450b5

SHA512
3cff570514fd9edce03a2d781b70bd88081290dbb6ccadcadf024035c858b0cde7bb26474c28112e01afe2cbe1425294c26b540571b73ead2089dad5bd0d142a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b045.TMP

Filesize
1KB

MD5
d702590bfd43229c13327e8e49e8d5cf

SHA1
ec1e1fb351f357ea328a04c325b10ff54c7d7221

SHA256
1654616e4496a3c91b83f256e7f1fdc470068e05e3786f5a035e1ad5103ab5fb

SHA512
1502b07891b87d05397a6cf0dcd9c68cc7750e84613e8d40544a777b7bc708251135d91f264158b6b715e4dff7515dd95a3d6337a6dcd70dcb5b5bd6c04a8540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d47201b4-0dde-49a3-aa41-61b0d6662ec5.tmp

Filesize
6KB

MD5
5705e76e54d7ad1513b7bbbdfec26698

SHA1
a5ceb328961790c5f7ad56c2d75b7994f4fc2df1

SHA256
bb1ce68811cd65b6a5dd2363f8e3350ed3ad1f18a4b987dc0198ab139c6456f1

SHA512
33f74cac48cc9a14123d9fb62cd6f3581e40c98b9c2d96845e1f653ef97d9d90e5a8c26b1b405e3c4b4ac23ca5984fff713a36d94b0deb2512a821b2a0a68bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7b45c062243fcb166de1c2e72896be70

SHA1
042fec6ccb99ac99c01650aebddb1b0c3ddee4d8

SHA256
fea9ca4887d069654dac143c0ec1594e6f7239b52906316614319ceeb604abe6

SHA512
0ef8754b6baafc7fc69f2afa2c5945721279e57757bd5d41db9b71a90efc505a7e907a6c3c3236d1a1e8e5bf85e96f250a61443e1f6152fed2aa7b74a57ee4b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
97640db7a092bb205c99ada2240c9ed5

SHA1
cddd77ee8eb9670e0656e97b9db95949b9597e47

SHA256
207914590cdc0c133b6687265a35b3e4e597d1ffc766feb9b9a4fb227d6ab8d0

SHA512
88ff516727b40e852a9cfebc40850265a30cdbeda7284ddcc7108e7977cbcfa4bfdb04044919f9ea327f47c4f6607f535978c9e65008861e267c6f4073c5a052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
277b64600defeb10a39a2cdbd5a9badb

SHA1
f299142208395893d8837a44f0b73796d39f15a1

SHA256
41c794d40f3cf5ef215a6bf1cd8d9dd4b15a6750524b29fff801538c5764b921

SHA512
115352f85c8dc1d25c197a96a4a09eabd4f9af19138e332896f90f619a5c38cfb45526cfc79e21096d07e9e5b6f5eebf824cd1aa2cb403b26b2cc5bfb55a8a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
196KB

MD5
f5d70bd357ef7c81d32925dba3577875

SHA1
be90f458408ff67aa9b59f72e1ae2bb4816de24c

SHA256
728a34665b1aebe54592291428352b3b7895fb71fef5580860d76a5bbb34338c

SHA512
0e38e167e7c9538783066ee1e08b81f666c46a30d4ddc5a5ad3cd3e698f69fdc280254c7590bfead84f5d07bcfce4d6c8be8da93d1bfc73a55cdd5e61487f631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
201KB

MD5
7873151b82558458abd88a70ecdc1f65

SHA1
ce1a917bceaeab3c981f8bd378f67ee7f355fb9c

SHA256
f67c599cc099c9226d04abc3afa26187349a92ab1c48a3b71f2e365aa24e12c3

SHA512
c7d90e418ed37747cba7b6944f5103ddd3e7b53ffc5b5bb909e83eb1edfab0c3a9e6d6736545189d959f726e0b1d4ec9699a83acf953be7c05bbd65a631301f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
ef82c5dced1cfc5fda71d01cf83d7c7d

SHA1
c88436097a68b4aec0646ff5debf3eb2907c73e6

SHA256
d35b6a4410ddb0fbbd486e66a7438e000712ce15b1b15bd7f2b65f33519b5c73

SHA512
1dc6a88fe6518720802635463c84c8a469fcde6bb582df07a23d277dc828a47b4efea0dc29086f4e8d834a8e1acb492467728653ecf60191f972a7c8b0f594e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
b75ae29c9e4e348b2cc26fc6aa80e750

SHA1
7dc7a51e3c9b1e07c8b1651bcaf09b2586b7ee12

SHA256
2d85b5a934e6644b29cad686fdd9233366c632ee169dcd921f01786b4aabd624

SHA512
c96898a7b9635af430206d9e2d9962666a8ecdbebac5bfec18fca265eff31e64fd3a2fe42f7f5dffad4558a77b654cb949a202de279bf1255c55a33ad3bc0eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
887e2b592f3ce2777959c9e8bec1bf07

SHA1
513148779d2a142d6da09c381fb41f26840f9aa2

SHA256
a350eefeeb932aacde4d14000eed0bd1c33b7f9fcfe9538e818dc707cc35d3ce

SHA512
f989b8e9f79f373a06a2ac689115d11634405d3683bfa676c8838508ea8e6fee961b9a28f4b56866e5f47461ec8ea293ed920e732f74db1e7595224ba799ff29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
201abb61307880bf6476862d8537ee72

SHA1
04726cb9a997a05be7bee8d95ed19a9b76e3422f

SHA256
1677d467e99c85a10bd8e1808e84b274ebe10feb8a7c06d73be9bc626d2f840b

SHA512
37d994fd83710a6f3166ee7b5635438b09f7aaa108772df3c886723ab47dd3841abdb8fbf028f66416cf8720df63e4d3be1d16ade65cc7b200357c172fd11789

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
26B

MD5
6bc190dd42a169dfa14515484427fc8e

SHA1
b53bd614a834416e4a20292aa291a6d2fc221a5e

SHA256
b3395b660eb1edb00ff91ece4596e3abe99fa558b149200f50aabf2cb77f5087

SHA512
5b7011ed628b673217695809a38a800e9c8a42ceb0c54ab6f8bc39dba0745297a4fbd66d6b09188fcc952c08217152844dfc3ada7cf468c3aafcec379c0b16b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{883C8A0F-5CD0-4819-9B8D-57C36D4BC37A}.session

Filesize
2KB

MD5
93b9ab2d735ffbe23851f414d2bbe3bb

SHA1
17fb7e7dcf33de981b0bbb3a38bac00364afb297

SHA256
5282d9a2b8dbc7295a608627a13ddc024de0a2323a1e2100e0f3d62eaf6d148a

SHA512
aa3802e81cc0b90a4d3da1d25262f5f0a3a28ec98a85bac98e8ea4970cda8e4d2d41b82d64e295de2ec980c98e394305d46976db88ec4ea2224d85dbb0a24739

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{883C8A0F-5CD0-4819-9B8D-57C36D4BC37A}.session

Filesize
4KB

MD5
4af1068fb153a21444af487318b678bd

SHA1
fd11d786a5a72a2f9d20b75b90716fd868f2ab75

SHA256
c7e67c1319b3760d88f5099b1504fa0205291deb04bd2838850629564e8162f3

SHA512
af875ef57c3cd4aa0f3f0b9eee5f69f86c9e377188d97101cef4b2071208d220fc06eb00f34b8c7a813a9af93eece7663b013a5dffa0edbf97f3d005ce80bd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{883C8A0F-5CD0-4819-9B8D-57C36D4BC37A}.session

Filesize
4KB

MD5
1ad45ecfdec5d7909d7ab37bf7c26a58

SHA1
b4ed1d81263e7eb99362e1efb1805b75f99cfaaa

SHA256
eb0f7a4b232a14e2953fa6570839675b27946c4dd6c6bc7bd3caebade137fa3b

SHA512
6d539b9152ecee5d9611b48bedb147b90e99cfbff33ae3b16d04089a7c7bce19069084cdb5ffaf92401b0bcb65214f052010b2acaac7aa5587e2170c0f72c18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{8C300AA9-8BD2-4216-8109-DFAB7536BDCA}.session

Filesize
4KB

MD5
9ba66cb2c88a4c86ac585915510a5c5f

SHA1
37b1551f1a8cbc90df8e0a5e98eb3b9dc7b13617

SHA256
edc6573dded852ad4c3af029dc45f6ac98a8630c6e94f431c649c79be6cc9f04

SHA512
0b41c3aadcc1f3d661e945d0b8b60d1aa651fef4655664dcf638570013dc93d9a05faecbfea2f212fd09024eccabdd6df3ab25111d96385a140c3e0e9df61016

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{8C300AA9-8BD2-4216-8109-DFAB7536BDCA}.session

Filesize
4KB

MD5
35408629c1e7b4db0fdf979b8fad3b8a

SHA1
a189969d85f434918a2fa6c090074745add1f791

SHA256
83ad99e53d2811bd09893906252efe692d3dbba4d0971a8c8d859f46c780091f

SHA512
cf17792759dda71e5aeec4d4e43369a87e74f5650585000bacedebef902bfc5f61702011ebc0eaf32194cfcaa5b3a5a5dff5b992972d985eac8b95751f718765

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYwgMEUU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi82A3.tmp

Filesize
3.1MB

MD5
aff55ff1a0d686ad405855bd22a932d6

SHA1
00b5db2b0322b2aad7aebd80d1d13372eeb85832

SHA256
926a128e1ef90c09470460fab0682fa500640b96ad3ad6fd8efaff9ed46e97db

SHA512
19bccc43eff166e1c701713edd6279d6c55b1c1277c2391eec73e6aebd201db762a52fc5a764900ac04441e73c573703ee29944c6c0a8e59d90b46b3279cd11e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi

Filesize
1010KB

MD5
27bc9540828c59e1ca1997cf04f6c467

SHA1
bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

SHA256
05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

SHA512
a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

Filesize
126KB

MD5
3531cf7755b16d38d5e9e3c43280e7d2

SHA1
19981b17ae35b6e9a0007551e69d3e50aa1afffe

SHA256
76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

SHA512
7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

Download Submit
C:\Users\Admin\Downloads\PolyRansom.zip

Filesize
130KB

MD5
7a5ab2552c085f01a4d3c5f9d7718b99

SHA1
e148ca4cce695c19585b7815936f8e05be22eb77

SHA256
ed8d4bb55444595fabb8172ee24fa2707ab401324f6f4d6b30a3cf04a51212d4

SHA512
33a0fe5830e669d9fafbc6dbe1c8d1bd13730552fba5798530eeb652bb37dcbc614555187e2cfd055f3520e5265fc4b1409de88dccd4ba9fe1e12d3c793ef632

Download Submit
C:\Users\Admin\Downloads\Winlocker.VB6.Blacksod.zip

Filesize
1.6MB

MD5
713f3673049a096ea23787a9bcb63329

SHA1
b6dad889f46dc19ae8a444b93b0a14248404c11d

SHA256
a62c54fefde2762426208c6e6c7f01ef2066fc837f94f5f36d11a36b3ecddd5f

SHA512
810bdf865a25bde85096e95c697ba7c1b79130b5e589c84ab93b21055b7341b5446d4e15905f7aa4cc242127d9ed1cf6f078b43fe452ad2e40695e5ab2bf8a18

Download Submit
C:\Users\Admin\ZyUoAUYQ\qoowkYwM.exe

Filesize
184KB

MD5
1df44c7955bab6eedde41e589aafe58a

SHA1
e5af4069dbcd22a761f2db614981cb5a1464dbb0

SHA256
f2b657e8e024ab5b5397d6aad4d6300e82367a8f1bb549fa5c3015527a380da1

SHA512
438e91c5a2ed717a5316b449e773e50078854b3fa65cbac47be3887491c61189c939e94de0e4f1ee0769e5b61f1082e58c21857f1f5e7f9dbf619d78e4f68b3b

Download Submit
C:\Windows\Installer\MSI65B9.tmp

Filesize
180KB

MD5
d552dd4108b5665d306b4a8bd6083dde

SHA1
dae55ccba7adb6690b27fa9623eeeed7a57f8da1

SHA256
a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

SHA512
e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

Download Submit
C:\Windows\Installer\MSI65D9.tmp

Filesize
88KB

MD5
4083cb0f45a747d8e8ab0d3e060616f2

SHA1
dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

SHA256
252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

SHA512
26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

Download Submit
C:\Windows\Installer\MSI86E0.tmp

Filesize
96KB

MD5
3cab78d0dc84883be2335788d387601e

SHA1
14745df9595f190008c7e5c190660361f998d824

SHA256
604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd

SHA512
df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

Download Submit
C:\Windows\Installer\MSI875F.tmp

Filesize
312KB

MD5
aa82345a8f360804ea1d8d935f0377aa

SHA1
c09cf3b1666d9192fa524c801bb2e3542c0840e2

SHA256
9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437

SHA512
c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

Download Submit
C:\Windows\SysWOW64\AQoC.exe

Filesize
769KB

MD5
92ef73784a13496cbb256180be6761f9

SHA1
ff488641fc43e5b9920cae85cfe1931eb061ea26

SHA256
f3dd20eb34e666b6ba38599cf89c5538f442c21936eca6442f7053d85ac4623d

SHA512
5bebbaea1301b720beb200316b09c81a1c90b04f0e58fd8aa49d702456c6f06068e3414eb55492b2d67e9dba67bf28ab21867c1e31115a2cd7e99369e6512dc1

Download Submit
C:\Windows\SysWOW64\EUIs.exe

Filesize
128KB

MD5
d9a6a8058c3b8c967982bfae603b7986

SHA1
9a2dafe1f402106c2fc9f38c5541264194b7e4ca

SHA256
a47ad88a69a2bc4fb0e22f3fba557806d6a8249e2b779da8c5eb42c63e869025

SHA512
89294d235bdacde5710d281256497d7c0c9820cf2da1b811836795e435f21c6162f5677be7b9df14e615ada4a5c6a1bb8b730dda2e7e81fea06e4edf041a3f42

Download Submit
C:\Windows\SysWOW64\EUcS.exe

Filesize
630KB

MD5
cd382f7ee30df63bc98e12cb71c17b1c

SHA1
3204f6aaf316112223e4b4297d27936242f4dc09

SHA256
a1701f287c03e4203a49d460918845111f6fec72fc54ec36ec70292b52a71fc8

SHA512
ba81710856d3416594c1638cfc9cdebd6caee38ee167cf8baf44d651c9464e03646107c3bb7baf488bf5b4f9cc14c43c4b8ef673ec01db174168fe121b1abfed

Download Submit
C:\Windows\SysWOW64\EYME.exe

Filesize
187KB

MD5
80fd4bee436d85e22006b1ede3e03cd3

SHA1
33982cd950ddbdd5ec4c785f024105df1578cf98

SHA256
5c2e95dd70c3a4fa87934fddbebd09ce654f07264823f8b5ca20bca79ed60e93

SHA512
d0d07a7231f2d6fee584e33d3daa7deccf7a759476fa7417a7e6986a7c013727d593ea9faaa025a9e412183c0d927f100bcb96929ac882876def2b41573b5e62

Download Submit
C:\Windows\SysWOW64\EYQg.exe

Filesize
197KB

MD5
dbf1469b901d98be5867dc2047cc4004

SHA1
50fe47c48eb7e4c498c21725aa6fe1fa56b64815

SHA256
0a0f497eb23a0941566a23588e0f77dd7e80bd4ec077ae687a016e34f8a94464

SHA512
e0c43d33e6fc82ac57e839d1a289fbf4638b4bdc5bea8ff26990ad508c6bb28e7a7f15c4762897d755f202952e40b14733700e42836c5b4489a47b1ed135635b

Download Submit
C:\Windows\SysWOW64\EcIg.exe

Filesize
187KB

MD5
9ce10b6ddf115f4697a6c5f074321846

SHA1
b534cdf1c1e91ec9de146fada5d618c2440d2652

SHA256
145edd08bde26f3b96a913eafcee2ddc20852da159efe37a3b3093a75b66b5fe

SHA512
3f95aa69cbf1665632dcfe86fda27d7c302f5f02645e012e57c2b2a1e826f5ff1f996c2482087640fabaf33f111053ab51cec13e1b21bbc6a04ec4d528ea484f

Download Submit
C:\Windows\SysWOW64\EcQc.exe

Filesize
192KB

MD5
f375b93ca29607a27a65a792bfbf6898

SHA1
7b1c794800790910d6a4406f8051292086b581d3

SHA256
1937ce736ce89173293677bcaa12326b618fefbcf63ab0de6f26f148a1e5f00b

SHA512
a20d0dab3b90c765b90835ef15b228447c63ea167bb5af185040b7c56c88d42b9255311244edcb31d42130b6e124d2a7928fc2b96f91c1bda23de8eb5cdf0831

Download Submit
C:\Windows\SysWOW64\Egca.exe

Filesize
201KB

MD5
b40020504d85598bffd133fcdd5a3f37

SHA1
f48707f4e621050745fab83153e72a3ac9ae68dc

SHA256
fd24a073603d4a2a305b17e8b3ad19c29e0d888b60d75b9b1f14936cfa6df249

SHA512
2593fd07dd22ca003222292e82f37660d4f2469d58b6b1769a9e578e5be7953c7465db4f49aa1bac0e1e2b49dd854f6f2afa31ff453b8519bb293b8c9324e994

Download Submit
C:\Windows\SysWOW64\FUMO.exe

Filesize
197KB

MD5
dc67c36b24c209b5ce20c88492eb25d0

SHA1
99622cf40284bfab7192434d1beacd0366f8459a

SHA256
21ec940d12a23b1921352f840fedc0790fb322e9d7b0a90efe5781aa39775a56

SHA512
21cd7b04bbce7ef5be5ad2601512e1feaf8c8e7cc9347588622b5ac62d933b9d165d790cba6c104112b1617de60b1c32c87e72b95a8c732ba80792fd18c86772

Download Submit
C:\Windows\SysWOW64\FYAC.exe

Filesize
230KB

MD5
a5dc9ca49ae32abe5bcd2ea0e4029454

SHA1
9383e5497e6ebba5c8f9a8747b3ef5534f71291f

SHA256
79927103b592c654fb6c6881dfb413ef307b4d2cd7eab53e2c21d6c456105701

SHA512
4dc4b6e83286058467f52076d77fd809ecd3c5b0165ec228b99df96955e17f05871184f42740c57d718e410b41f2b00a119812982caa2a8f970bc64d67af4e5c

Download Submit
C:\Windows\SysWOW64\GcEQ.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Windows\SysWOW64\Hoom.exe

Filesize
203KB

MD5
9ccb5bfe09f0928794b5d1bde08c7abe

SHA1
7cb0bd7b8cb49976c2f49c3f72c7ac0469b13e89

SHA256
6f543f96214b6b996092d28c825550785146f585a51dba1ec28ca7e43bd182af

SHA512
c8a8d3484a0db331f8a88bb2a3ba128f4a398d87634219af98518fdeead9dc5f1a77a6e40e9b89d678725abff8e6ddb8ebca398f2e18214ff4eb598df2489f99

Download Submit
C:\Windows\SysWOW64\IgQA.exe

Filesize
197KB

MD5
dca8d5188e6e5680d7f908ade03e4c34

SHA1
3e89dc71327c0ff93c5ab28e636d6330a4cae0c7

SHA256
c7b93504817921df695b6d4e598bba03798644e7bf5519cc028ff6e00f15ee5c

SHA512
1d74399e639a50604a77a38e143c96761d687eea6b26a7b6eafe4d42192d33e22a0a64f89461f50bff8757f8b2174171a3487fe3d6e7f27369dd914e84b51e80

Download Submit
C:\Windows\SysWOW64\JUgi.exe

Filesize
211KB

MD5
4f7428ff54ec49b1992d37a28e5c0355

SHA1
14acec31ef07a34f7eb64c78f2a01b2eeac26b40

SHA256
731f2011ce0d37a24a1f955bee708d9ad6dee8191e929b56f0155a48fbed88fa

SHA512
fc88432f48cfbad89d707549515ad2e840060b7bc9b7627eb9a60a48b07915bd2bcdba36a30a75cc519133c55c924d3a07733026332a2f8237c13b67fc642137

Download Submit
C:\Windows\SysWOW64\KAcW.exe

Filesize
192KB

MD5
e7d56db76762b4d233a1a472e641d0c5

SHA1
3a7d69ec71532a5aa5334e2d7ee586694511a7fb

SHA256
351d1e608444eaec0634df1c1cd27fd375dc119c8a8e43aada4ae6becccaf805

SHA512
c200dd14412ded3924be3572db1d094652542599fc8f741f3d8b13c48f4ad3a4e6bdbf640ef85199ca3d4f7a569b773baddaaa2c52c7a891d5ec09d1a590b2cf

Download Submit
C:\Windows\SysWOW64\LAQW.exe

Filesize
561KB

MD5
62e43a07a0765558fa7dedc5bcd0426e

SHA1
3ee61fe0d0cc4c232afb7d79c7de0906086cf4d7

SHA256
c32e8b8b5bb1b082f6401780c1cd041a7a2396d10a14b53c1fedba749e6d3f11

SHA512
69293ba0cc34e2ad573c7e4a8309909505c11befec6fca1d253be6be9a0009f1ea6def8a11db23fa94661faf08798d57053c885fc1ba3fd518557f4d66a5bad4

Download Submit
C:\Windows\SysWOW64\Lows.exe

Filesize
309KB

MD5
f5b9028c2b4779b243afd51d84ffb606

SHA1
8042f7f492a39df1a3628f3fe86f7fec2dc10a1a

SHA256
b6448e7aa75bf86900a07986a790f69ec246a1b4701abe0ac058b8a7394c788a

SHA512
11c5c70339228c478798cd0f8d1909954e9ad0e81462fc804f882adfad22a4126ef8140f5046adc4cf479f64f44359cf512bb06bb8117b29de7f655b5ec05a31

Download Submit
C:\Windows\SysWOW64\MMwo.exe

Filesize
220KB

MD5
f6cc498815b7d7488c326c434d44f56e

SHA1
4f4abc6a60d16050b6aeed204d5122778936c7f3

SHA256
1e1fce2fe061067c211fe533730014700785d6c2625339b9819eb1966229d884

SHA512
eb0ce4b20748f9d78a36a15ec7f9ecac2352241cde1c45f938916d95baba6125decc298ec8cb7325b51ff1ba448f489da3a2d63b8816263e93ef601e8cf1bdd7

Download Submit
C:\Windows\SysWOW64\OMoQ.exe

Filesize
208KB

MD5
24b64eb0bb2852a8097516846651f2bd

SHA1
1371cef1093b10a2156c73f539e7d1437cc87bf4

SHA256
8dc0c204ab0f4e2d7ef6f074f49b71c2a56a7e0ce500e5d4b84d5ef612c5281a

SHA512
6ad81b4f2712ea2fceae579ed093d96ca30323582508fd15686490e7fa5527fb0c3e4767aa0570283b47fe0f5d939d6ee778560809b22736e3963cfb60b42476

Download Submit
C:\Windows\SysWOW64\PQYW.exe

Filesize
223KB

MD5
0f2d6de81f6c60704490a8961d14c1de

SHA1
02833961ac38d6f77bd3933c2e17db335fd9186d

SHA256
2cd3f77f7c248aee68c7e36343cc4bd44604adde10e967ee7d9a3def9a708372

SHA512
ca8dd7b6d88488a135b1809cb27c4be5c46694395494051fd98951f54ed25c978046585efa1a755900ee97ed7d2fa90fca6566b7d329cbfee2d7920f015a9064

Download Submit
C:\Windows\SysWOW64\PYkA.exe

Filesize
636KB

MD5
8e40d3238a4971308a9024fc4266877f

SHA1
cce90945eb448601678fbc2f27476613d093fcfb

SHA256
ddf4363bf3f6ee05a8e5960fa2c622b5414c472d06b696e6f7cf853ff90dc2c5

SHA512
d0d11d9362b51789cf2017ea26e9c0edc3f2f1acb063d526ab0d0e00ee3de7d97a8c2f2fc881cfa08b5c3f32d0c77631db9cfccf7dc4867d045eb0ad7a3c6980

Download Submit
C:\Windows\SysWOW64\PsYU.exe

Filesize
206KB

MD5
7f16523d8da1cbd845d9c5dceee8c96f

SHA1
0ff01b7f1f11d61aa3c732fd01b96d9b8d2cdb1c

SHA256
93bb852fef3334e5082ea4b88fc866cd9d964807146d7679cb1d6117fd256710

SHA512
ce9ece8b036a2de67cc7f4c359dfeea9fbcc619af086de0cebabf06c61a01a6c2ed2d2bd7f859ecd72ebabb7990dc81bdc9d46600063a334a7d64d37c6abd42a

Download Submit
C:\Windows\SysWOW64\PsgA.exe

Filesize
334KB

MD5
63a6f5c5685c087b780ef29c6c8923f0

SHA1
7418509445e9c77fcb9682a09814e047313e63d9

SHA256
e8467d184a411a3d5f933daa068a6a245d005f8d5eaa728b238e9093624b5dee

SHA512
5e6ad2d3188d140e77705977c2062fc7344a0a75c0e2da0ae56a9c0d2531eb570bdfdddb1f0bb179d676624dee526939b46e44559b8b5642b7fd81b973620156

Download Submit
C:\Windows\SysWOW64\QMUG.exe

Filesize
192KB

MD5
9c4dd80d3ce74e40fd5eb7815815418b

SHA1
2b40dbc98dc769e464924127b94577ae7d21f321

SHA256
ea120539f56abaa46f0846549b213e7ddf05e41e19bbc6e1f9e9edb77098687f

SHA512
f0a7c81aabd3a96078f5546a26f7e03641e1166ff15ec0a08158463e12b6c31045f1f47a53aa6361c81ec1af2cde7956f588aec2cdd77478f71c1e47613ff5ec

Download Submit
C:\Windows\SysWOW64\RQYE.exe

Filesize
195KB

MD5
2c394f29abe533a6afe11d5dc4ea4199

SHA1
e4566c7f75ed9d7d2e15d6d9a57e47819f06a381

SHA256
765f4c89d7c5f0ae2b0b87f86a7388440f1591c33a8302fe1942cfdd91592cab

SHA512
8447addcdd68c31431645d9f62d7ebf0fde7e1aca4c7818f55f43de36cffcafca1c5bd3441b2758f68da683130e4eec4858ef079a8bd048efb8bec387024b411

Download Submit
C:\Windows\SysWOW64\RcMy.exe

Filesize
187KB

MD5
e7a91fcdab5c9d2dc481287ad9301b4c

SHA1
3fc429914f6fb55dddd80cf34120a2aa5f94d911

SHA256
8003968e11c98d00b7d0499da86172707bf28e0b32074d561b528c0b1e477211

SHA512
676e631057f323d646627bd3fdf17f7bae0076b95e55be3e033fff366d4cb0aed9d715bdaab2f90dc527c6107d33eaefb07d5caa6bf46462a61b4d0d4d51c8b2

Download Submit
C:\Windows\SysWOW64\Rsss.exe

Filesize
186KB

MD5
4f261c8a478ba234a84192b7770140f0

SHA1
e6d817ea5cc440dba25a2599364c122be330ab02

SHA256
5be69674864387ea6fa60e043987100f42fab8fa40ff9181f13f7253b901d9f7

SHA512
638512c0fb887cca8d0563ab205aaa37f7b2003171893f7572c04b1706382aef5977487cee49f9ef0c7ef67a58fd3c52c5200576ffcec46b27d20cb8efb68cf5

Download Submit
C:\Windows\SysWOW64\RwsG.exe

Filesize
195KB

MD5
a325ab9018c38d41e2d86f19325efe59

SHA1
a403e0fdf14ce31422353abd60acfedeb65b5607

SHA256
c2ff0d18e9c13a0fbc7539b04cb18abeb5695ab538cdc54ce287fa11c1ef08d7

SHA512
ec82e25446663e703bf9defe4f989d436ec3682bb94727e4545a8c925cc720303078bffe8f6736aa3737f230cbeeaf6395d68ad2e0b4ed60350999f87837d2c8

Download Submit
C:\Windows\SysWOW64\SoAy.exe

Filesize
209KB

MD5
75b55853d381a26e762fb229c1f4a39a

SHA1
9c550f95abe78240eed662f2a43aa1987216a70f

SHA256
8fe8444693876be5e357421204d3510387670ac46d8fe68258ac60ac94bfbf13

SHA512
e202b4a3a67607e75d8743fd1d39cbe98b624d54faea1a42fa1d3b34d9541947b1819e21d9951caf614f019c40943ee3bc637f9310f6eb4ab5e546ec7b8d861a

Download Submit
C:\Windows\SysWOW64\TMky.exe

Filesize
206KB

MD5
67a3258a0c849e1682ea3f7455f064f6

SHA1
f4dade9f44bba88e1028a78a636d00dfe1c85740

SHA256
262d21647c41346cfb3b8bf2e89b3e787f855a6032d65738ffe0451e7e83c1ef

SHA512
83388240ecc15dd0b9e1e42980240dff50d75a53e575307751b6716aa159e2c5aa511112974e5ad159bf8c5e2385c317c2184e832d1df4eb9ba829f2212ef9db

Download Submit
C:\Windows\SysWOW64\UsQC.exe

Filesize
264KB

MD5
8fff07b4f492b460a7a22b1924e3f8c3

SHA1
1ae0bd202a7acaebfa18de3215c60aa83deaff60

SHA256
f9e7bb5ea22fc9c652c9f226ba07c08b632099c534a7c5cf5650dcc5baff0028

SHA512
b111cfc9c3963e28a07d0265ecce5467b2215d03451747acf2e45937f78c4d3f4aca1ef8b07f4c29808847599467f61792ec84ef9448e1886a431e2d0efdbef8

Download Submit
C:\Windows\SysWOW64\UwQQ.exe

Filesize
206KB

MD5
812b7abc51a209f62bdf7f49499c0585

SHA1
738356f6a27281dea16158036fa610cd7743f5fb

SHA256
61a9ddbb6932473059eecce3bf79eb5aef2b05ad19849ac83f3b1ac27978a0f7

SHA512
30d4267cfc056e7d7f8331e6b07b209b7f649b46bc3bce12cf473cb7263e027fc27eb6d48988b15b166a1888548ead5f0d8aac64532f8d73332a64488c2e0d59

Download Submit
C:\Windows\SysWOW64\VMwy.exe

Filesize
183KB

MD5
a9aea1b1167a4f8c2c7cfc08033b6a71

SHA1
c43700cd2e9d55bdf8e2ba199bd38f48fae42cda

SHA256
1ef0e3b77b1182edba95bc51f7367977c8e9ca70cad03b40fe2dd184defb730e

SHA512
cd57a0bbdd9139c031b782375850ccfb5786c17c1ace3b2611f0b9fd4751ecd5c3ee1ef18348b1e2bfcef45dabad1b0f43542377ecdef2aa513075469af6cccd

Download Submit
C:\Windows\SysWOW64\VcAC.exe

Filesize
182KB

MD5
6181c724eb8714ca5361ca9aabea56ac

SHA1
30f979bde665fc21a4ba42d03caddbca6a2789da

SHA256
596977d9110ead9caa6d5d0afcd8cea29a271489a08a807c3ac832734df53e3e

SHA512
fef2c548b5e93dcc3c8633fd90caf9174e58b4c8a7dc5bd6c0d238b461040f6a6b7505831e7b6942b9304e580e59d63e713590b2a32148f69a600db1ac7bcc98

Download Submit
C:\Windows\SysWOW64\WMoE.exe

Filesize
204KB

MD5
389a1f1b3b0ccc6e7e2b929b1614899e

SHA1
7becd26a1c3b2632518c8f91356a9cd3b8ce8872

SHA256
555d804764f80b7e0423db2b263456185d99e7cecb2c08e3a3a53cebf72d4351

SHA512
e8077b6d0d8a0ac18459b3fbf4d795b87d0d86f9308caf7d0c3830fdba36f417a545dc542e3915651289bece6a5337842863b50c12dfc505e64f34a6c179f422

Download Submit
C:\Windows\SysWOW64\ZUMM.exe

Filesize
187KB

MD5
46eaeee6735d8576ffd8735bf75c1471

SHA1
fa5f9bb4c91d38c073ac818f9963cb070c38127c

SHA256
326165439df0e13a085ea025f67b30091280d0c027bbdec93acf295411638481

SHA512
894ff66423947331341e5b0edaf6673d39815445b9290ed2488c442355335bdd200eab7eb66d362e8258ddaa14bdbf221e940a3810431c39b41f4476a0742624

Download Submit
C:\Windows\SysWOW64\aIsm.exe

Filesize
425KB

MD5
ce5f87dea59b46c73c36930e47c1d1d2

SHA1
882945148e366cff158d7348ebb1510b5d0359f1

SHA256
6f98ecd48fb5508b05202e7d1cd8a250c1f0b2c2973ddf1adddf54a5f7f6e355

SHA512
7b0c68b0d6468f4cbe8d4fc0ea32b9da55c002e74d186c1ec062021b3c82cbc4bfa2ba045b89858ff27b0f92254a2e8b540985aed235299df6f26d7f960b311c

Download Submit
C:\Windows\SysWOW64\aQcE.exe

Filesize
5.2MB

MD5
03e7098d0bc966408b9376a02844c7ec

SHA1
36494e2b500543e3af99bf2a336e63882478cbda

SHA256
d4b9e510701205ebedef654ecb6d385a23f95249646e7149d72cebffda2364d8

SHA512
49cedfbbedf794515e98ee83fc51c9d44e1f6db57a2bd915915734a12fc7611cbf9d84e020263a5bd9774c18e6248a2e739177a9e96179f461a899c34b84e1b1

Download Submit
C:\Windows\SysWOW64\bgQM.exe

Filesize
200KB

MD5
782156f19f29f6fa707db9252dc33d9f

SHA1
847eed129a9414caed1ce9a9a15c49d26b9ebffa

SHA256
77f9eeeb30542fa5a15f3f7aed1420f48f21db17aaf63c6973aec62fdb78b12e

SHA512
88c567facbdaa8b968a362d372e665dbf8c8ab6bf366d81db21f21eddf002e56c7bd475e57f42356059da86a55b2dca10723ba11e0fe68889882ef9d708a5e9d

Download Submit
C:\Windows\SysWOW64\ccsS.exe

Filesize
198KB

MD5
3b0fa1497796dd1f4b5d3f7cd5216160

SHA1
6b9df4a67f48b16fc054f033cd3e3e193b1bd291

SHA256
1e23e720070055d160610eb2f2bc861f8571fc51c54328af2f3fbff3054d1c0a

SHA512
3f9bcb5a71a117c39b6a83f642eb98aca682e2900415f26f3635e04cc813612d3add8966d38e1825f5897a3845a28f8f256003b945efa024e2391d981b976edb

Download Submit
C:\Windows\SysWOW64\cgEc.exe

Filesize
191KB

MD5
d2176e0a2cba1f3fd493bc6448e2a560

SHA1
76956a212acbab1cdb230ca558ded731c4316859

SHA256
d94fb8fd2bdcdf96f97ab5a29648946fe4b3aa039d75964ff754fb407c0c20dd

SHA512
5688dbb2ec97ecf77dfa96bfacc4c25312eded620813fba606c6fbb1043fc7bec829ad7c2f63526767d7c6f6d077e8f8b43963a6ccce837133c292a07849e80e

Download Submit
C:\Windows\SysWOW64\gYoG.exe

Filesize
200KB

MD5
3556e7224cf3966d6b98cc8fe6ba7b79

SHA1
35e3f9dd3551d176305b5e8831dea08476103654

SHA256
318016e9d6c8d0e4e6225ea702ba472f31bfb3bf881b96057a96de160455d8ad

SHA512
d5468c6c60e56840ac2a6e1cc969e0d7e4bcc664e0875bfa5c85da040537f279f9095fcbc80b96e8fd20230bd2c17047054bd8d7c3203527fe11224a6c6fe5e8

Download Submit
C:\Windows\SysWOW64\iEQA.exe

Filesize
209KB

MD5
c79eb4a9fc511466414e83bdde30092b

SHA1
ce0080b0fe350f4685cb506b84f3b910530a3004

SHA256
16d4c7474eaa03bfee9be1ba6c021e8f8d0aa0f8dead457b313f882449cbf7dd

SHA512
f3014fb65e74129940175965bd4b78f5b04eb8ad3baf11ff05f7f2decfa6029d2d6a46d0b3dba79bc4fcf9eef276d7e926bee49e5afa083d086105fdd392f03d

Download Submit
C:\Windows\SysWOW64\iMEs.exe

Filesize
203KB

MD5
00db26119464b4dd44c955b755b35977

SHA1
8d0e438a5f31be7a9898ec3902ca797d16f07a19

SHA256
a51e8dbcf87148026a4ad29974a284e2bc0a51f6ba3374796640181fac989977

SHA512
7ab13645df948eef52ccc4b86d9116ecca4d90c3eed5e7c881a3532bf8fb3a783b0b09f90e8ff4281938737c7a7ec45e8a50f31eba90060760ad66a887549a1d

Download Submit
C:\Windows\SysWOW64\iUQo.exe

Filesize
181KB

MD5
21c327b2841b3ae7c8bc2f3e3dcfdb1b

SHA1
7c37d3567378b99faaa00e80ade3b61ebaa9e52e

SHA256
2fde54b9ecd9ba136ddc0d9a591470847d6c56d3eb19a623a248806b9bfcd67d

SHA512
ecef621cabcf72b6c18b3bb8596c2c67e0212fc0101d457c8430af0e54ca3d530e0dbb1e14ccebbb4507a27648d85b989c67ce766ede82e6e7de2acc67c1fbfe

Download Submit
C:\Windows\SysWOW64\ikYe.exe

Filesize
204KB

MD5
ed100a8f5cd4b0848b4ec9a2f42c2433

SHA1
3798b9b04d22c2540b4bfa28434ea52f22aaa7f0

SHA256
c9e27f0d947c2e0f4b254c7876a8b89ac03a587c7a1c76689435afef05744152

SHA512
2d20af71fbab35b3b59d68810d05d9f63f34d9596cfaf33808c72cf46df298d1a92c60344a6ad0dc73d8fa0e5d41610b53cc0ce2689e953b8e4b563375fefd19

Download Submit
C:\Windows\SysWOW64\jMQw.exe

Filesize
838KB

MD5
76bf4567ba61e755584141e96c75a07c

SHA1
ee08c93812c71a0eac3e97e1ba1ac542622b6d5c

SHA256
ebea728732e39455090796d66527c98e69f6c7aa91ae43f39a6a64a10ee53044

SHA512
9f6764c8c70bb3a1a83b784518d4674a9b46ee53e795dab5f0147f2d9afb0ee5ef60233c4d06a9c85dbae7495343bcf366a54a1f095bda417be5d4024a6d3ba7

Download Submit
C:\Windows\SysWOW64\kMEc.exe

Filesize
190KB

MD5
4456e91c53cc8a08a575909fc596d43e

SHA1
c075c87913aac3f2250b5dcb7955177a263ee4c0

SHA256
21a739b1afc6cbac2161b00e88a15aaf4fc39a2a2d5487c9308b04b844a3465f

SHA512
acaad1004488b4d9b921dcf32cfac570fdbe81d031c97d7d14b15fd960e60179103d462afdca1b1ba455e393fa57c7c4199b0260feed88e6705d579c25168d34

Download Submit
C:\Windows\SysWOW64\kQYE.exe

Filesize
181KB

MD5
9ecbb49c5679b4add8dd429892e60d5c

SHA1
12e19a193b99d4932613747cc7532cfe107ea848

SHA256
a87b8817b35a501b355ee333945fa5955cd7b9d6760843f12f3f575684f54c49

SHA512
1bbda519b1f571849f8657adeeb2f21e343e061ac5cc6a1afc5addad272452f2dd8de8d05f71341b0d7c113c64066fafe1c3d486023ce2bc7255a38c3df683dd

Download Submit
C:\Windows\SysWOW64\lgQw.exe

Filesize
195KB

MD5
e653774610d27a99d32a72a2eb1c1161

SHA1
b927dbd48a2ec94b7db64d61a759be9c39aa3f78

SHA256
c77404d71fa74841eb9f69b26c27c590e4a8744cef22cc2f3ebf0c31f3aeffd7

SHA512
825bc5cfa478341d11604a25b79309480c7210e8db8554ba561bca27e3ccea07710704c78c7c7f6af31c4f02e015efeae06ddc49ac263b83c733545881c65dc4

Download Submit
C:\Windows\SysWOW64\oMQK.exe

Filesize
189KB

MD5
9355bc0da897fd010ece4ab981f4b38d

SHA1
007a05a65f7f0b9e0e608310b85bfc71e005d33c

SHA256
d99c6985bbe880e8569fc759f049674bbd178d853b0f48b12ffe63a1e806d8d7

SHA512
88780135396249ea5e163c403fb8ee75576a37252ba836f542d89cebb41bb0d5803d867609e782c5ad8e254f6ea90e901b335bb18d6412ec54b3eff6cc4628e1

Download Submit
C:\Windows\SysWOW64\pssO.exe

Filesize
210KB

MD5
d01ad455c1670c46591962d588264610

SHA1
96108c233775b2683cf624467fce61e8ef74d471

SHA256
6f5a8b2b2ebe091a4026ca1efcac074c1e6d3e35a5ffa98703c9f5e1b4425583

SHA512
c5451f101b80d131df5c0142238ee12dbbb1e36980d924d2bf34a25fd142ecd4841d12024a0f200207ccff1a0df7baad59324a66df2435c737a379fadfc7476d

Download Submit
C:\Windows\SysWOW64\qIEk.exe

Filesize
245KB

MD5
3114a2d287073a776e122c4865bbf243

SHA1
9c7f32dab0a4da2244a5af99fb2627dfc66aa4a9

SHA256
338af3fc023e1e9d82980e6df4fd78fc2299fb3895d6a89bebc41ae6df24f306

SHA512
c48caa5b31dba5ccece6d08a8694fe79bff9b7712aea8ca9bfaffabfe0566037392d20c4ba8f88c429e839f566790ed05dd1e0f0e6213ae400523e5660daa575

Download Submit
C:\Windows\SysWOW64\qsAw.exe

Filesize
196KB

MD5
4bdf04592b89557fd400d4926ee88ee2

SHA1
ec255e81df68ca0e1d73dd77588fc1542634c738

SHA256
6a36a8ae14d0aa47dc7dc38f145e4b50760f0f817c9da798fe575c428903e073

SHA512
bd3acc5f3241f62608bd79bb0a76ddce22dc080cd4cc6b7b2256d40d47cb1fa48befa7b72cd03fce6a24a7ee033498088d56dd13ed904865bdd43c7b05baa96e

Download Submit
C:\Windows\SysWOW64\qwcg.exe

Filesize
775KB

MD5
ff61e7a0dbadbaf3b3ab417e6577f019

SHA1
857d3599119f548c5c357ed24a9fd4a21b173b62

SHA256
544b2d692664525003e4aa93ee963fcbb223ae75ba79d88761cf59575a0f6638

SHA512
9a29974822570e301a10943169eae84b895b41242651075d620d135686042f29e59213dd4cabd30b8137578152212c11cea6bbd91507e5b43ceedeba4a52ebc4

Download Submit
C:\Windows\SysWOW64\rIgG.exe

Filesize
198KB

MD5
a1971ce25af5697f99d5eef3e241ae2f

SHA1
ef75b754d05cf54640bcd35a31e8d3a40f1bd932

SHA256
577a9783b4a6e7d4900d5afcf004139c35b3c16e15d12552531d606a89c99202

SHA512
1cba5a99c682e128f7f8718c4d7f8728aeedab67020f4348957c863f0380661ac46fa792a37ac2e3bc18eae8976522e2c7dc720754c6dcea6184335e2060d998

Download Submit
C:\Windows\SysWOW64\sggW.exe

Filesize
205KB

MD5
258ec7b092ed668cc5112d31b808d270

SHA1
3a46dafc9779dbe72d20a5cb8141bf5e2f43fdb1

SHA256
f1b4a6c57d25cfcf7f0d7aadaadd29b742e632455cbd0b46fdb5b96d8987dacc

SHA512
8e69a723bbbd590fd77d9e97234bbbf790cf93d2eb1d2987419ebbbb737e9e701ec71a47d7516b40915cf6e08da4a535fa15cbc57a7d260e738583ab1a678c48

Download Submit
C:\Windows\SysWOW64\tAEa.exe

Filesize
204KB

MD5
43674c4d39e71330f3b4e0b5781e646a

SHA1
7c7dad2dcbe21d9fddf0bab9a6b438fd339bcad2

SHA256
aab7f1029e939c9a53215919f1eb397d3f0db6ac50e9eb2a947cf929af82e43d

SHA512
86db32f15421f4ca4f954f3d7b791efd7182ab840ec41e54e23a10a528ba8b94335500ed9aa382ed1229ea5d4f98d93e16778d85af8fa937bf50cb3b8f5fe180

Download Submit
C:\Windows\SysWOW64\uUUy.exe

Filesize
649KB

MD5
a89f964d3b402c09008ddcf4839e9f74

SHA1
429399c45ded8b438b30bf5ce69c339550062a86

SHA256
eafbca0bf67dc5fc8018c0a907dbe8184932c39f365209e411793d72d16ebfb5

SHA512
d711ee1871edeace3509554ae79ff0b0c2fb1838ed6823048f7648fd4fd51b324e4b30b4473db80311df67b9c2234f490efca1600a8134b8088e800af69b20d7

Download Submit
C:\Windows\SysWOW64\ucsa.exe

Filesize
790KB

MD5
70d63bdea5d02b47fdc753cdfc38a6de

SHA1
a240489cb45f22345dcdd8d67535faa84231d69e

SHA256
b80e821798a813d4931714f091bfd621a08ca73a4dc0932eb881565000d746b9

SHA512
4bad53bfdab113b89f761dff3ded7294a0940f57dce961da8f8dd1289aa1fb3364ec6115bdd79907fa20911a4d433bdf221f44ad73496196de876460f277bba9

Download Submit
C:\Windows\SysWOW64\wIsa.exe

Filesize
793KB

MD5
f1f1268e531d73ed21c6cde007cc909e

SHA1
69ce35a6d66088e5095c6c671a4c45297195bf6f

SHA256
f188fb93ded0f91ff865b9f175a2c565760b758cee47b5944ae58bc9f442092e

SHA512
bc51aba43ca512b10953c1d7dbf1937da76aa2a8216f104174313af5a882da81e9e41a252463af14e2120e54850e725d6758003ff9396c0992bb360ee170032f

Download Submit
C:\Windows\SysWOW64\wMUq.exe

Filesize
195KB

MD5
a5109e98b715698455b055420ba47986

SHA1
3f8f07e93af1f5424b7f5ec2bb55f37b34d37e35

SHA256
e7a566310deb9a55cab8d45732c63918040c814c8756b43fcf1f07f4fc884449

SHA512
c9de340b2af20ec2dbe967987f987d26f676a69c91a3c75e975de5ee0ad09596da421439fc546ef7ad09911d4e36ef175ce2cdfa1e867b4114b7cdebeba285e7

Download Submit
C:\Windows\SysWOW64\wokc.exe

Filesize
191KB

MD5
d74168d1c5b226ed9bad7ed54c487e77

SHA1
30410769dc3b87d700a3f92cfe550d5ccd46c4d6

SHA256
d628b21d7180e74ae7b42fdd91e4000485fdcb876c9406b56ecc33c72c77a68a

SHA512
072f52dcd6f4b828d2c41516cf9571f0e7bc2265b2e42b4328631b527a82d26878d6877bfabc0fab23dc96bd6b36186eea5fe1ea4a09c0234be85a34e7025dc0

Download Submit
C:\Windows\SysWOW64\xEYi.exe

Filesize
196KB

MD5
05e5d207f4acd11dfde214e4cc3c9e60

SHA1
24de11e86ddb192a8b9467291b1b99ca9086f510

SHA256
26b3c78ec5d3b8180ff0cecc5d97989febc8fa180768a387c77641fadc2630d2

SHA512
8e2ab7d9aa1d5869fa76d52c3da2e8d802a01712b67f1395dcc23aa3d38e5f1ad1d288d9ca09262167b3dba5cb7ee3ff540e104b55a2ce713d4168397601b27d

Download Submit
C:\Windows\SysWOW64\xUEI.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Windows\SysWOW64\xUcI.exe

Filesize
184KB

MD5
159b336e004d99f52318fe3cd2383f0b

SHA1
39799e520168279e489cca96beea6d1e7ea9c048

SHA256
6424f0fb430f43f27e4d243f664d1f4e565801e0d0fea9f76accfda3661313cc

SHA512
8ed9c865259d79994ad09cdf7351b9cb681bd039f97f9d556e19abce8e77bfb4179158358379a766cb0600ede00ee6321a5d433152ec1aba85b07f732023af8c

Download Submit
C:\Windows\SysWOW64\xwAQ.exe

Filesize
201KB

MD5
01b6057ba0699914710c22641644c5ae

SHA1
ec4c6cfd1ee60de1ce14e753e3b958b5e445db51

SHA256
ec50cf1f7a312cd191c0ecfa9717a6d613dc6225b0e48517de2fd76395a73c34

SHA512
4bbffa283fa9e36d7916187fcc765b67f70f265eec9bba1d57f790beafb81d98a74fd5335c25e705e82e94c5d1cb134913f5cc41b41cd187dfc7a79731e1a4cc

Download Submit
C:\Windows\SysWOW64\ycwy.exe

Filesize
219KB

MD5
816b24bba7d0e26f7e517ac42aec61c1

SHA1
06fb43461f75a2d947fc5640759abe9c834600e6

SHA256
15ede724bbc71587456002569e5c8a5df3b15aeeed08d6a6b344064ea0527351

SHA512
fd896e87d967c7ce0dae062f3409b8d248e23d891c4ec40944caa956d60ac4301cdcd1365b12563874615f50348b629583d1585f40cf0924ee2e3dcee070ea5e

Download Submit
C:\Windows\SysWOW64\ysUo.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Windows\SysWOW64\ywAq.exe

Filesize
628KB

MD5
af20fe81eac71532e4070490dd6579a9

SHA1
7229c3056570ff8145018956114b6d789e3bc979

SHA256
7218a1b823ace983910bc4c59a54242e7f466bbca6d199a520b84a22c433899a

SHA512
2841226374ad6f6fdfe93d1f3f0f741922ebd183026a38e68fa76ad012811130fbcdd80e6ec47b74840d97d98a6746ecf480538bd81157ab50cc0e4535ae3e53

Download Submit
C:\Windows\SysWOW64\zIIS.exe

Filesize
205KB

MD5
c732f092820310185e8ce8d81de0acdc

SHA1
d97e888f17336f36171af4e022803e3d9cfd7e38

SHA256
5bdf72f4f6198710d19951e2912ef7fce35948c2fd32231015d1b5db7a743087

SHA512
bb0ca769e1feb782221bb03d17f61e056871edeb95619203c285dee02bd11ba1b2ca709f679dd62190cb72c93e78772f41c0091e92c6faecfe215cc2afa83e11

Download Submit
memory/60-726-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/376-716-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/376-709-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/376-523-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-659-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/576-687-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/576-676-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/652-525-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/652-534-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/772-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/864-339-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/952-587-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/952-603-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/976-550-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1004-651-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1108-679-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1108-670-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1140-366-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1140-357-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1156-497-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1156-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1472-622-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1472-631-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1556-302-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1556-315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1776-515-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2092-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-611-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2720-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2720-379-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2860-301-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2860-285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2968-480-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2968-462-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3060-489-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3248-553-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3248-561-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3248-727-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3464-621-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3464-612-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3508-584-0x000001FAAB7A0000-0x000001FAAB7A1000-memory.dmp

Filesize
4KB

Download
memory/3508-589-0x000001FAAB7A0000-0x000001FAAB7A1000-memory.dmp

Filesize
4KB

Download
memory/3508-585-0x000001FAAB7A0000-0x000001FAAB7A1000-memory.dmp

Filesize
4KB

Download
memory/3508-572-0x000001FAAB7A0000-0x000001FAAB7A1000-memory.dmp

Filesize
4KB

Download
memory/3508-573-0x000001FAAB7A0000-0x000001FAAB7A1000-memory.dmp

Filesize
4KB

Download
memory/3508-574-0x000001FAAB7A0000-0x000001FAAB7A1000-memory.dmp

Filesize
4KB

Download
memory/3508-590-0x000001FAAB7A0000-0x000001FAAB7A1000-memory.dmp

Filesize
4KB

Download
memory/3508-583-0x000001FAAB7A0000-0x000001FAAB7A1000-memory.dmp

Filesize
4KB

Download
memory/3508-591-0x000001FAAB7A0000-0x000001FAAB7A1000-memory.dmp

Filesize
4KB

Download
memory/3508-586-0x000001FAAB7A0000-0x000001FAAB7A1000-memory.dmp

Filesize
4KB

Download
memory/3672-420-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3672-410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3704-568-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3704-595-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3724-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3724-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3752-506-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4060-542-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4240-289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4240-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4480-699-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4480-707-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4488-571-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4488-562-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4500-393-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4588-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-669-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4960-352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5016-688-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5016-698-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5064-641-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5096-461-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5096-451-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download