cryptolocker | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CryptoLocker[.]exe

Analysis

max time kernel
130s
max time network
176s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07-03-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CryptoLocker.exe

Score

10^/10

cryptolocker troldesh evasion persistence ransomware trojan upx

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker

Modifies visibility of file extensions in Explorer 2 TTPs 21 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UAC bypass 3 TTPs 21 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Downloads MZ/PE file

Executes dropped EXE 29 IoCs

Processes:

CryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exeNoMoreRansom.exePolyRansom.exepGkMEUYU.exeYCcsgcEw.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exe

pid	process
1288	CryptoLocker.exe
1324	{34184A33-0407-212E-3320-09040709E2C2}.exe
3140	{34184A33-0407-212E-3320-09040709E2C2}.exe
2288	NoMoreRansom.exe
2236	PolyRansom.exe
3416	pGkMEUYU.exe
4436	YCcsgcEw.exe
2596	PolyRansom.exe
696	PolyRansom.exe
3228	PolyRansom.exe
3544	PolyRansom.exe
5044	PolyRansom.exe
4832	PolyRansom.exe
2208	PolyRansom.exe
3944	PolyRansom.exe
2212	PolyRansom.exe
3544	PolyRansom.exe
4936	PolyRansom.exe
4668	PolyRansom.exe
4572	PolyRansom.exe
4936	PolyRansom.exe
4092	PolyRansom.exe
1816	PolyRansom.exe
2412	PolyRansom.exe
1656	PolyRansom.exe
4552	PolyRansom.exe
1728	PolyRansom.exe
1796	PolyRansom.exe
4368	PolyRansom.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2288-310-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-311-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-312-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-313-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-314-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-336-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-340-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-350-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-351-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-379-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-606-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-992-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-1700-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2288-2798-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exeNoMoreRansom.exePolyRansom.exeYCcsgcEw.exepGkMEUYU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Run\pGkMEUYU.exe = "C:\\Users\\Admin\\eOUgIowo\\pGkMEUYU.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YCcsgcEw.exe = "C:\\ProgramData\\pYsYswcQ\\YCcsgcEw.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YCcsgcEw.exe = "C:\\ProgramData\\pYsYswcQ\\YCcsgcEw.exe"	YCcsgcEw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Run\pGkMEUYU.exe = "C:\\Users\\Admin\\eOUgIowo\\pGkMEUYU.exe"	pGkMEUYU.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
24 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1080 1816 WerFault.exe iuokYosg.exe
2104 1528 WerFault.exe ycIYkUsg.exe

flow	ioc
2	raw.githubusercontent.com
24	raw.githubusercontent.com

pid	pid_target	process	target process
1080	1816	WerFault.exe	iuokYosg.exe
2104	1528	WerFault.exe	ycIYkUsg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4572	reg.exe
1400	reg.exe
808	reg.exe
1388
5088	reg.exe
4732	reg.exe
1120	reg.exe
4456	reg.exe
3440
460
2164	reg.exe
1836	reg.exe
2160	reg.exe
1996	reg.exe
760	reg.exe
2104	reg.exe
4408	reg.exe
5060	reg.exe
1944	reg.exe
2372	reg.exe
228	reg.exe
3404	reg.exe
1256	reg.exe
4156	reg.exe
2504	reg.exe
1632	reg.exe
720	reg.exe
4872
488	reg.exe
3888	reg.exe
3432	reg.exe
4616
4408	reg.exe
1560
1988	reg.exe
4588	reg.exe
2344
1500
2220	reg.exe
1640	reg.exe
2220	reg.exe
4808	reg.exe
3532	reg.exe
1580	reg.exe
3428	reg.exe
4248	reg.exe
720	reg.exe
3236	reg.exe
3164	reg.exe
1816	reg.exe
4060
3700	reg.exe
1640	reg.exe
4064	reg.exe
3576	reg.exe
2368	reg.exe
3408	reg.exe
2624	reg.exe
404	reg.exe
228
4604
1908
2492	reg.exe
2904	reg.exe

NTFS ADS 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeCryptoLocker.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 229421.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 910465.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 807567.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeNoMoreRansom.exemsedge.exemsedge.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exe

pid	process
1684	msedge.exe
1684	msedge.exe
3728	msedge.exe
3728	msedge.exe
644	msedge.exe
644	msedge.exe
352	identity_helper.exe
352	identity_helper.exe
3720	msedge.exe
3720	msedge.exe
3236	msedge.exe
3236	msedge.exe
2288	NoMoreRansom.exe
2288	NoMoreRansom.exe
2288	NoMoreRansom.exe
2288	NoMoreRansom.exe
1592	msedge.exe
1592	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
2236	PolyRansom.exe
2236	PolyRansom.exe
2236	PolyRansom.exe
2236	PolyRansom.exe
2596	PolyRansom.exe
2596	PolyRansom.exe
2596	PolyRansom.exe
2596	PolyRansom.exe
696	PolyRansom.exe
696	PolyRansom.exe
696	PolyRansom.exe
696	PolyRansom.exe
3228	PolyRansom.exe
3228	PolyRansom.exe
3228	PolyRansom.exe
3228	PolyRansom.exe
3544	PolyRansom.exe
3544	PolyRansom.exe
3544	PolyRansom.exe
3544	PolyRansom.exe
5044	PolyRansom.exe
5044	PolyRansom.exe
5044	PolyRansom.exe
5044	PolyRansom.exe
4832	PolyRansom.exe
4832	PolyRansom.exe
4832	PolyRansom.exe
4832	PolyRansom.exe
2208	PolyRansom.exe
2208	PolyRansom.exe
2208	PolyRansom.exe
2208	PolyRansom.exe
3944	PolyRansom.exe
3944	PolyRansom.exe
3944	PolyRansom.exe
3944	PolyRansom.exe
2212	PolyRansom.exe
2212	PolyRansom.exe
2212	PolyRansom.exe
2212	PolyRansom.exe
3544	PolyRansom.exe
3544	PolyRansom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

1684 msedge.exe
1684 msedge.exe
1684 msedge.exe
1684 msedge.exe
1684 msedge.exe
1684 msedge.exe
1684 msedge.exe
1684 msedge.exe
1684 msedge.exe

Suspicious use of FindShellTrayWindow 55 IoCs

Processes:

msedge.exe

pid	process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1684 wrote to memory of 4360	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 4360	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 1396	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 3728	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 3728	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe
PID 1684 wrote to memory of 2272	1684	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CryptoLocker.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff83543cb8,0x7fff83543cc8,0x7fff83543cd8
2⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
2⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
2⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
2⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
2⤵
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
2⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
2⤵
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3720

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
2⤵
- Executes dropped EXE
- NTFS ADS
PID:1288

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1324

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000238
4⤵
- Executes dropped EXE
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
2⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6492 /prefetch:8
2⤵
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3236

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
2⤵
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:8
2⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,1217228055133489656,8471021393371942223,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6388 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\Users\Admin\Downloads\PolyRansom.exe
"C:\Users\Admin\Downloads\PolyRansom.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Users\Admin\eOUgIowo\pGkMEUYU.exe
"C:\Users\Admin\eOUgIowo\pGkMEUYU.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3416

C:\ProgramData\pYsYswcQ\YCcsgcEw.exe
"C:\ProgramData\pYsYswcQ\YCcsgcEw.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
3⤵
PID:1500

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
5⤵
PID:3052

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
7⤵
PID:4472

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
9⤵
PID:1172

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
11⤵
PID:2832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:3480

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
13⤵
PID:1412

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
15⤵
PID:4604

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
17⤵
PID:4108

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
19⤵
PID:4380

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
21⤵
PID:2384

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
23⤵
PID:2052

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
24⤵
- Executes dropped EXE
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
25⤵
PID:3124

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
26⤵
- Executes dropped EXE
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
27⤵
PID:3236

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
28⤵
- Executes dropped EXE
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
29⤵
PID:4412

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
30⤵
- Executes dropped EXE
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
31⤵
PID:1836

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
32⤵
- Executes dropped EXE
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
33⤵
PID:2980

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
34⤵
- Executes dropped EXE
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
35⤵
PID:1308

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
36⤵
- Executes dropped EXE
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
37⤵
PID:2080

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
38⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
39⤵
PID:4728

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
40⤵
- Executes dropped EXE
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
41⤵
PID:648

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
42⤵
- Executes dropped EXE
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
43⤵
PID:2072

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
44⤵
- Executes dropped EXE
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
45⤵
PID:1640

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
46⤵
- Executes dropped EXE
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
47⤵
PID:1632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
48⤵
PID:4604

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
48⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
49⤵
PID:3052

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
50⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
51⤵
PID:1460

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
52⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
53⤵
PID:4092

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
54⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
55⤵
PID:1632

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
56⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
57⤵
PID:692

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
58⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
59⤵
PID:2416

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
60⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
61⤵
PID:816

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
62⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
63⤵
PID:3560

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
64⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
65⤵
PID:648

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
66⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
67⤵
PID:3188

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
68⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
69⤵
PID:4540

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
70⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
71⤵
PID:4940

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
72⤵
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
73⤵
PID:852

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
74⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
75⤵
PID:792

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
76⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
77⤵
PID:4688

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
78⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
79⤵
PID:4936

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
80⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
81⤵
PID:460

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
82⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
83⤵
PID:3424

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
84⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
85⤵
PID:2104

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
86⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
87⤵
PID:1028

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
88⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
89⤵
PID:2716

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
90⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
91⤵
PID:2456

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
92⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
93⤵
PID:5024

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
94⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
95⤵
PID:1080

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
96⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
97⤵
PID:4764

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
98⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
99⤵
PID:460

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
100⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
101⤵
PID:2072

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
102⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
103⤵
PID:5024

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
104⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
105⤵
PID:4988

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
106⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
107⤵
PID:1308

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
108⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
109⤵
PID:5088

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
110⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
111⤵
PID:2776

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
112⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
113⤵
PID:3480

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
114⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
115⤵
PID:1836

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
116⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
117⤵
PID:2032

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
118⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
119⤵
PID:496

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
120⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
121⤵
PID:2620

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
122⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
123⤵
PID:696

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
124⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
125⤵
PID:1176

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
126⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
127⤵
PID:4552

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
128⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
129⤵
PID:4848

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
130⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
131⤵
PID:2412

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
132⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
133⤵
PID:2276

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
134⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
135⤵
PID:4440

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
136⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
137⤵
PID:4456

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
138⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
139⤵
PID:4428

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
140⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
141⤵
PID:4944

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
142⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
143⤵
PID:5024

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
144⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
145⤵
PID:3724

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
146⤵
PID:4156

C:\Users\Admin\RCMwcUQE\iuokYosg.exe
"C:\Users\Admin\RCMwcUQE\iuokYosg.exe"
147⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 240
148⤵
- Program crash
PID:1080

C:\ProgramData\wGUwUUwI\ycIYkUsg.exe
"C:\ProgramData\wGUwUUwI\ycIYkUsg.exe"
147⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 236
148⤵
- Program crash
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
147⤵
PID:496

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
148⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
149⤵
PID:200

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
150⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
151⤵
PID:2024

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
152⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
153⤵
PID:2824

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
154⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
155⤵
PID:3212

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
156⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
157⤵
PID:4688

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
158⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
159⤵
PID:1500

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
160⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
161⤵
PID:4856

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
162⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
163⤵
PID:3392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
161⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
161⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
161⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSwoMowM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
161⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
162⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
159⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
159⤵
PID:4756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
160⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
159⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgkwcMEI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
159⤵
PID:4064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
160⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
157⤵
- Modifies registry key
PID:2504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
158⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
157⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
157⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmEMYAsI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
157⤵
PID:2808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
158⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
155⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
155⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
155⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwIYEgEg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
155⤵
PID:1412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
156⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
153⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
153⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
153⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCwYUAoI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
153⤵
PID:1256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
154⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
151⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
151⤵
- Modifies registry key
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
151⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYsMYIIQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
151⤵
PID:2456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
152⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
149⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
149⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
149⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reoQQoIg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
149⤵
PID:3404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
150⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
147⤵
- Modifies registry key
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
147⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
147⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsAckkgo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
147⤵
PID:540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
148⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
145⤵
- Modifies registry key
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
145⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
145⤵
- Modifies registry key
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKEoQAww.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
145⤵
PID:1280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
146⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
143⤵
PID:2696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
144⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
143⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
143⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGgMkcYY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
143⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
144⤵
PID:3460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
141⤵
- Modifies registry key
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
141⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
141⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQUcEoYA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
141⤵
PID:4964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
142⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
139⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
139⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
139⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lawIwQQg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
139⤵
PID:4868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
140⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
137⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
137⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
137⤵
- Modifies registry key
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgoUYsAY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
137⤵
PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
138⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
135⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
135⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
135⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKwMEwMA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
135⤵
PID:3168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
136⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
133⤵
- Modifies registry key
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
133⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
133⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKEQUAkY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
133⤵
PID:4732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
134⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
131⤵
- Modifies registry key
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
131⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
131⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwgkEIAA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
131⤵
PID:3560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
132⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
129⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
129⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
129⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEQUMsEQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
129⤵
PID:3568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
130⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
127⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
127⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
127⤵
- Modifies registry key
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsAosksk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
127⤵
PID:648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
128⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
125⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
125⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
125⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEcAwQIk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
125⤵
PID:4420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
126⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
123⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
123⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
123⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIUsoEYM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
123⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
124⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
121⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
121⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
121⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGgoUgsc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
121⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
122⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
119⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
119⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
119⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAUgUoQA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
119⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
120⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
117⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
117⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
117⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BggosMYI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
117⤵
PID:4948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
118⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
115⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
115⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
115⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIcooAgA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
115⤵
PID:4372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
116⤵
PID:4408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
116⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
113⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
113⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
113⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOIkokQE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
113⤵
PID:4688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
114⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
111⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
111⤵
- Modifies registry key
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
111⤵
- Modifies registry key
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEwwIUMU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
111⤵
PID:4868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
112⤵
PID:488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
109⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
109⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
109⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSoIgcIQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
109⤵
PID:5060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
110⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
107⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
107⤵
- Modifies registry key
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
107⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEEsIYgM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
107⤵
PID:4864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
108⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
105⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
105⤵
PID:496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
105⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUsgIUMg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
105⤵
PID:2672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
106⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
103⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
103⤵
- Modifies registry key
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
103⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMYowEEk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
103⤵
PID:3052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
104⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
101⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
101⤵
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
101⤵
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYEMAcwk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
101⤵
PID:4352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
102⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
99⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
99⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
99⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMowUEkU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
99⤵
PID:2236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
100⤵
PID:4936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
100⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
97⤵
PID:3392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
97⤵
- Modifies registry key
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
97⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maMEAkMU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
97⤵
PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
98⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
95⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
95⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
95⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSsgwUkI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
95⤵
PID:496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
96⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
93⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
93⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
93⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUYUAYUU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
93⤵
PID:1288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
94⤵
PID:460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
91⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
91⤵
PID:788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
91⤵
- Modifies registry key
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buAoMUwA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
91⤵
PID:3188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
92⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
89⤵
PID:4440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
90⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
89⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
89⤵
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
90⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuggkUQg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
89⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
90⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
87⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
87⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
87⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAwkkUIQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
87⤵
PID:4856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
88⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
85⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
85⤵
- Modifies registry key
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
85⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMIoAwEQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
85⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
86⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
83⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
83⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
83⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yokkcswc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
83⤵
PID:2276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
84⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
81⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
81⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
81⤵
- Modifies registry key
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsYEkQMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
81⤵
PID:4084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
82⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
79⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
79⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
79⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niQwoIMg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
79⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
80⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
77⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
77⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
77⤵
PID:424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SasYYcoQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
77⤵
PID:4552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
78⤵
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
75⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
75⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
75⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyckYoAE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
75⤵
PID:3436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
76⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
73⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
73⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
73⤵
- Modifies registry key
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqEwQEQE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
73⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
74⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
71⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
71⤵
PID:4668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
72⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
71⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSUoIoAU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
71⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
72⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
69⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
69⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
69⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWMookkQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
69⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
70⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
67⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
67⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
67⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqMYIEIk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
67⤵
PID:496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
68⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
65⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
65⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
65⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KicQgoUs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
65⤵
PID:2220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
66⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
63⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
63⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
63⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKEsAksw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
63⤵
PID:1996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
64⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
61⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
61⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
61⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMMMUoUc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
61⤵
PID:2412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
62⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
59⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
59⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
59⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmQAQUgc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
59⤵
PID:2624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
60⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
57⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
57⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
57⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myQIogYE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
57⤵
PID:3444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
58⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
55⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
55⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
55⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcsoUQII.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
55⤵
PID:1592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
56⤵
PID:4844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
56⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
53⤵
PID:424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
53⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
53⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYAcwQIA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
53⤵
PID:460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
54⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
51⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
51⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
51⤵
PID:2316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
52⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqcoMMgw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
51⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
52⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
49⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
49⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
49⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beIsocMI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
49⤵
PID:5060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
50⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
47⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
47⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
47⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGgQsAUE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
47⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
48⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
45⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
45⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
45⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMcscEYg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
45⤵
PID:852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
46⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
43⤵
- Modifies visibility of file extensions in Explorer
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
43⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
43⤵
- UAC bypass
- Modifies registry key
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gegoAgQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
43⤵
PID:404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
44⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
41⤵
- Modifies visibility of file extensions in Explorer
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
41⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
41⤵
- UAC bypass
- Modifies registry key
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LagYYcYU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
41⤵
PID:928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
42⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
39⤵
- Modifies visibility of file extensions in Explorer
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
39⤵
PID:4844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
40⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
39⤵
- UAC bypass
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKIYEQUA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
39⤵
PID:1116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
40⤵
PID:1412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
40⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
37⤵
- Modifies visibility of file extensions in Explorer
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
37⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
37⤵
- UAC bypass
- Modifies registry key
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugAgIUgw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
37⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
38⤵
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
35⤵
- Modifies visibility of file extensions in Explorer
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
35⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
35⤵
- UAC bypass
PID:4980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
36⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIggIwII.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
35⤵
PID:3888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
36⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
33⤵
- Modifies visibility of file extensions in Explorer
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
33⤵
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
33⤵
- UAC bypass
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGwgMEIY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
33⤵
PID:3080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
34⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
31⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
31⤵
- Modifies registry key
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
31⤵
- UAC bypass
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsAQMoAQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
31⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
32⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
29⤵
- Modifies visibility of file extensions in Explorer
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
29⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
29⤵
- UAC bypass
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCMkkMkA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
29⤵
PID:3984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
30⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
27⤵
- Modifies visibility of file extensions in Explorer
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
27⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
27⤵
- UAC bypass
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsAkEMgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
27⤵
PID:1640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
28⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
25⤵
- Modifies visibility of file extensions in Explorer
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
25⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
25⤵
- UAC bypass
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geUUYkMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
25⤵
PID:3080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
26⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
23⤵
- Modifies visibility of file extensions in Explorer
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
23⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
23⤵
- UAC bypass
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEAYsAoA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
23⤵
PID:1288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
24⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
21⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
22⤵
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
21⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
21⤵
- UAC bypass
- Modifies registry key
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAIckkAc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
21⤵
PID:1728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
22⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
19⤵
- Modifies visibility of file extensions in Explorer
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
19⤵
- Modifies registry key
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
19⤵
- UAC bypass
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUcsgcIY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
19⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
20⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
17⤵
- Modifies visibility of file extensions in Explorer
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
17⤵
- Modifies registry key
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
17⤵
- UAC bypass
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wygUoAEo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
17⤵
PID:4648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
18⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
15⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
15⤵
- Modifies registry key
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
15⤵
- UAC bypass
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSYMEwEA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
15⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
16⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
13⤵
- Modifies visibility of file extensions in Explorer
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
13⤵
PID:488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
13⤵
- UAC bypass
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSEAoEIQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
13⤵
PID:1120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
14⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
11⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
11⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
11⤵
- UAC bypass
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqcIsUsE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
11⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
12⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
- Modifies visibility of file extensions in Explorer
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
- UAC bypass
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYMAwsIo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
9⤵
PID:4980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
- Modifies visibility of file extensions in Explorer
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
- UAC bypass
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lScEMsMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
7⤵
PID:1308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
- Modifies visibility of file extensions in Explorer
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
- Modifies registry key
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
- UAC bypass
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCkoIIUA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
5⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies visibility of file extensions in Explorer
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- UAC bypass
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEosIQIQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
3⤵
PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:4732

C:\Users\Admin\Downloads\PolyRansom.exe
"C:\Users\Admin\Downloads\PolyRansom.exe"
2⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
3⤵
PID:1288

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
4⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
5⤵
PID:980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:720

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
6⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
7⤵
PID:1216

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
8⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
9⤵
PID:412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:3124

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
10⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
11⤵
PID:2368

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
12⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
13⤵
PID:3952

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
14⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
15⤵
PID:2212

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
16⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
17⤵
PID:1072

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
18⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
19⤵
PID:4944

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
20⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
21⤵
PID:4588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
22⤵
PID:1468

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
22⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
23⤵
PID:2412

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
24⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
25⤵
PID:4784

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
26⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
27⤵
PID:2316

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
28⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
29⤵
PID:696

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
30⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
31⤵
PID:2456

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
32⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
33⤵
PID:3444

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
34⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
35⤵
PID:5044

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
36⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
37⤵
PID:3096

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
38⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
39⤵
PID:4428

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
40⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
41⤵
PID:5116

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
42⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
43⤵
PID:1072

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
44⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
45⤵
PID:1308

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
46⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
47⤵
PID:3344

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
48⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
49⤵
PID:1640

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
50⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
51⤵
PID:1800

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
52⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
53⤵
PID:5072

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
54⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
55⤵
PID:3204

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
56⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
57⤵
PID:4524

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
58⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
59⤵
PID:4428

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
60⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
61⤵
PID:3236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
62⤵
PID:1796

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
62⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
63⤵
PID:1816

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
64⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
65⤵
PID:2416

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
66⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
67⤵
PID:3544

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
68⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
69⤵
PID:928

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
70⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
71⤵
PID:2980

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
72⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
73⤵
PID:2888

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
74⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
75⤵
PID:1640

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
76⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
77⤵
PID:916

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
78⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
79⤵
PID:4400

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
80⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
81⤵
PID:4856

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
82⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
83⤵
PID:912

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
84⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
85⤵
PID:1480

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
86⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
87⤵
PID:3428

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
88⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
89⤵
PID:3592

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
90⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
91⤵
PID:4060

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
92⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
93⤵
PID:2716

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
94⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
95⤵
PID:4764

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
96⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
97⤵
PID:844

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
98⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
99⤵
PID:4440

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
100⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
101⤵
PID:1360

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
102⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
103⤵
PID:2432

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
104⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
105⤵
PID:2212

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
106⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
107⤵
PID:4152

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
108⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
109⤵
PID:2608

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
110⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
111⤵
PID:4412

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
112⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
113⤵
PID:1700

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
114⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
113⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
113⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
113⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgQkYMAw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
113⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
111⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
111⤵
- Modifies registry key
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
111⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NawMQoYM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
111⤵
PID:3764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
112⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
109⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
109⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
109⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOIgcYAc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
109⤵
PID:968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
110⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
107⤵
- Modifies registry key
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
107⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
107⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUkYQgcU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
107⤵
PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
108⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
105⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
105⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
105⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgwokUAM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
105⤵
PID:968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
106⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
103⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
103⤵
- Modifies registry key
PID:488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
103⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkAMIQsw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
103⤵
PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
104⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
101⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
101⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
101⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwkQYwAI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
101⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
102⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
99⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
99⤵
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
99⤵
- Modifies registry key
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyssEQkI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
99⤵
PID:4864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
100⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
97⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
97⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
97⤵
PID:4400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
98⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGUIUEYk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
97⤵
PID:3096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
98⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
95⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
95⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
95⤵
- Modifies registry key
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eekkYsgs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
95⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
96⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
93⤵
PID:1120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
94⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
93⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
93⤵
PID:4540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
94⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkoAMIQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
93⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
94⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
91⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
91⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
91⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOsUgMUY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
91⤵
PID:2080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
92⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
89⤵
PID:4764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
90⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
89⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
89⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwgUkEQE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
89⤵
PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
90⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
87⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
87⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
87⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaAIoAoo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
87⤵
PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
88⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
85⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
85⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
85⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsMgocoE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
85⤵
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
86⤵
PID:460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
83⤵
- Modifies registry key
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
83⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
83⤵
- Modifies registry key
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIIgIwUY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
83⤵
PID:4512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
84⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
81⤵
- Modifies registry key
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
81⤵
- Modifies registry key
PID:3164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
81⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEIkUogE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
81⤵
PID:4544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
82⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
79⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
79⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
79⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqEkwUwo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
79⤵
PID:5052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
80⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
77⤵
PID:3888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
78⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
77⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
77⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyAIkgQU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
77⤵
PID:3380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
78⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
75⤵
PID:2624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
76⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
75⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
75⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YagEAoQA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
75⤵
PID:2316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
76⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
73⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
73⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
73⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmoQgwQM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
73⤵
PID:3888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
74⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
71⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
71⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
71⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwkEEccM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
71⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
72⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
69⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
69⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
69⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UogkwQAg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
69⤵
PID:4572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
70⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
67⤵
- Modifies registry key
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
67⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
67⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSAggcIw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
67⤵
PID:1632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
68⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
65⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
65⤵
PID:496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
65⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmckkgIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
65⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
66⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
63⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
63⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
63⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omIkkUIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
63⤵
PID:228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
64⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
61⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
61⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
61⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skkgEwEI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
61⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
62⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
59⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
59⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
59⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSUkAQcI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
59⤵
PID:4456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
60⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
57⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
57⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
57⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwMkIYQc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
57⤵
PID:4808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
58⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
55⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
55⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
55⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSkoQcUM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
55⤵
PID:4152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
56⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
53⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
53⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
53⤵
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joUgwAcM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
53⤵
PID:4416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
54⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
51⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
51⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
51⤵
- Modifies registry key
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgoosUQo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
51⤵
PID:2384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
52⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
49⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
49⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
49⤵
- Modifies registry key
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwIUsgkM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
49⤵
PID:3532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
50⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
47⤵
PID:488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
47⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
47⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgEIcgcs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
47⤵
PID:4676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
48⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
45⤵
- Modifies registry key
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
45⤵
- Modifies registry key
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
45⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiAIkcMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
45⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
46⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
43⤵
- Modifies registry key
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
43⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
43⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEgcEYww.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
43⤵
PID:2208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
44⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
41⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
41⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
41⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCgsUokg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
41⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
42⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
39⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
39⤵
- Modifies registry key
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
39⤵
PID:988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
40⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYogcEMc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
39⤵
PID:1480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
40⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
37⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
37⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
37⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGwwkgMg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
37⤵
PID:4732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
38⤵
PID:3392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
35⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
35⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
35⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgYocIYc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
35⤵
PID:1256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
36⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
33⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
33⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
33⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgQAkkwI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
33⤵
PID:3412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
34⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
31⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
31⤵
- Modifies registry key
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
31⤵
PID:760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
32⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JesUAYss.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
31⤵
PID:1120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
32⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
29⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
29⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
29⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwoMEAMU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
29⤵
PID:488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
30⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
27⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
27⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
27⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYUEUcos.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
27⤵
PID:4152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
28⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
25⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
25⤵
- Modifies registry key
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
25⤵
- Modifies registry key
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGoQIoII.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
25⤵
PID:4940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
26⤵
PID:488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
23⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
23⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
23⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOEkIsoo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
23⤵
PID:4416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
24⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
21⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
21⤵
PID:2416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
22⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
21⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcAQoQgI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
21⤵
PID:1308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
22⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
19⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
19⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
19⤵
- Modifies registry key
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ragogocg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
19⤵
PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
20⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
17⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
17⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
17⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Iikgsgwo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
17⤵
PID:4084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
18⤵
PID:1532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
18⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
15⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
15⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
15⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaEUowkI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
15⤵
PID:1860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
16⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
13⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
13⤵
PID:788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
13⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcoAcMcY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
13⤵
PID:1172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
14⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
11⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
11⤵
PID:3888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
11⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwgIkcMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
11⤵
PID:4368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
12⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
PID:1796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIIEQgQo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
9⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
PID:4456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcIAcwoI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
7⤵
PID:4552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEMcskMY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
5⤵
PID:3980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqsIEYok.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
3⤵
PID:2996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1528 -ip 1528
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1816 -ip 1816
1⤵
PID:3412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
Filesize
836KB

MD5
b1d2c282d35b702474d09fd0edd3dd61

SHA1
6d2eb0a0502a92f233bce23c72b3768fd7fabd63

SHA256
fc356e6a582a72517b3d68d6e1558c3bcd1099664bbe68bd67a51c58c2c5fb50

SHA512
b610d44f0e8cbe26473470ce1a60efb23b8c3a7121d797f58bab386932b1e758de7024f7cfc0303fbb3ba260fca9e8bf76978e1c05cc2c1b86a3a50a79b54a54

Download Submit
C:\ProgramData\pYsYswcQ\YCcsgcEw.exe
Filesize
194KB

MD5
95aa89ae43ae237fd4284085fb811963

SHA1
5a70c5a2d2b667f3b494595213641eef5876e786

SHA256
0c199624be3c55b044e3210fe89e8bde11fdedea94d3a31b3d95158e4286ba7b

SHA512
bcd81518afbd1e8d3f60de6c96f97923850c7f94781c08f8f719de80c72f02c143c00d8d6b8272aba3a37f39d1cafa6959408e63a38c20e24c9eba663a3b6cde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\128.png.exe
Filesize
198KB

MD5
56cccb0f05505b356e2b180a2a2074ac

SHA1
bcac8f52b7bdf8f6225566905a2f02ff71b146c1

SHA256
91a249d4665129fc5f6a99bee5c4752967d0ed774394c850c86294ef5f8e1a48

SHA512
46883a84f608c202d6d8911c6464cf2ff22d91d1cf438bacd16c14a5d79d14e1ec6c7906a9d4f6f64e00c32568685329adf35c5e3864fb5e9ad1960e7a964b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a91469041c09ba8e6c92487f02ca8040

SHA1
7207eded6577ec8dc3962cd5c3b093d194317ea1

SHA256
0fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f

SHA512
b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
601fbcb77ed9464402ad83ed36803fd1

SHA1
9a34f45553356ec48b03c4d2b2aa089b44c6532d

SHA256
09d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15

SHA512
c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
cf790f16dac4046a67e544b33f027f4a

SHA1
c933cbe1a792985ad64e6f3c7b10ade76f540ca8

SHA256
78234c1def8d2d54863b51f8ca240163bef8a45de6010108a9f1dd91347a1cfa

SHA512
280b378ea1e747bbf4a695dffb9c3b066ec5cd3cd681afceb182980edb27e8ad5bcf7525a347be23c87d68bef9c0aca3e10b8613a7b23680ae1fd857656e8ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
bd614c435f494d5fc00cdc4774dc1895

SHA1
23e5ab611e10a19d98d2f8b00b8f08f0bec640dd

SHA256
5b6579f8c324a0bb9667f1b3c5ad761f4de38cb4b10737dcd3de08dfbad790f9

SHA512
9174b8c1c4a1c9acf762de779e3a3a97e51206e2ea19e9d53f6e7c1bd8b3dc163dc46d069e75919bdad87ad626780c45262fa3af2275b1edf179b55725c758d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
40de1da4f0e9b9abedfeaf9a59af2f07

SHA1
b4063dd2baa5dc405a9c14dcf40fd1cd673416ae

SHA256
95e8ea7ad8642f9197dc21a22ac39a2063c29dd31b9ae4af30b9ec8ccb633ae6

SHA512
e6e41ac59f6fb1decd279e6c0caeb6329b5a5273dd1f7c89ec5ed7b786522d6748d4a9ed9660103e6f579768ab9db5e06e44000e163c8221af4b8f1a820d1187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a8a0532e6392a6e844bd05a4a00ee4ff

SHA1
ec4af96de4ea22539f0b47a256098647a3c41af3

SHA256
844c6cf37dece3c6fdd26bb8f9c2cfa4f9035e357c978341e4ebfbd45737a05c

SHA512
b1b379657e7eee652c1b85d937ff6801b6c8a540359b288fd25953d4aa2567fb4f18ef3e278ea4251dce9f14051e73e0931a7fedf4a821fac5388d9303034f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
99bc792e81bb3f43a2153de67c5748d3

SHA1
47fe96d744231531bdac2b3a8ec5995dcf88eb8e

SHA256
aae8a0b1702379291ed7f0fc6835f7d6491fdc17e23b652df4ff32abd3688f0c

SHA512
db2f8ea5324f2551cc678c180c20013bd8a940d84c7ace19c547e0b2d4e07bc4709c403ba10c38653bc6e6507c65f71d9a0cf4a378c5d08d9fff92eb78ed8e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
49a48e96f67cd6070f94ba2a16a6efc8

SHA1
e86f1a50eef974ee5d35804274f0ab41a3d29199

SHA256
3581440d57a14c79b7d30654f751bebeaa1b351426736e6caa82f49bbf87cede

SHA512
ec4f6c1ecaf79405a5b4d6cb1df070360076267310c9020837bb482f3184c45977a7c02e6d5001c055896fe0f4b47e2d51542346d5a199e39ec943e351f3db3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9c19037721b7802f338e43d31878d9a4

SHA1
f1f321b4ef7ca0c9f7d5011059dbbc1ed3b7d781

SHA256
ef3c01c846505567fda372e492d5e4205e7ac1576957715b342292f5b9361813

SHA512
e3ffa89b0a452db06489b663d245c30763c3884adc815ce937eb2c3ff0f8429e2757eb30619e5f9ae9838e1bbf7768d95f89679fcdf4e7cf2c00c31853d7c254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d1a7348a581ede5fe03af76626d92957

SHA1
589ad39f907ce0893b6c557765917f17b04274c2

SHA256
6a8b4e87711433db9e7a4c288b394a6fc2e021d2a0b9d77a441bffbbdabfd95e

SHA512
12d427d30e9461e301ad5d708808425bd2e14d3d663bc325c7eb33acb43b419f89cddc77c8a46569dbc381af272eb348da75dc3d7f41ebe0199076cf860412d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
515953961e8f6441202963652238f622

SHA1
809dee4f45939e5e2c8787bfb5d6e812e3d6e4a6

SHA256
599524cf2c236209fdaeb027f589b5bbda6e3cad1b8982fe8ec2a91d34055ed9

SHA512
7c2294e9ff9177c1999f010c590190a8bf584f5623a8cac1579768fc50730c7607826d44416f97d8f747e0051a90a762f91df6feb0dd12c7389746702194ce1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
21039ecde4747bd7e88db3898ac0fcb8

SHA1
8f70c0403ebf6e8232207d70143baca37133e6fc

SHA256
29eba10c1778370d398c203e0702aad3a9de96619200e70b580008c2f5fa25d8

SHA512
01438e8b4d9eb46b6d94a417b8e1163f7801391d5bb2b20c3f05b4686770f41bea69dce6a0006d6c3d5d3215949302e5bcfeff2efeb018a87617b4d606e6faf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e27e830f4bb7aaa46bea231d21898855

SHA1
3b106e507a5a56835ac35dc6eaedce7c460720f0

SHA256
77ec795af6caeec9057120b0704de0a0a908f17fc5002d7ad5500596c0e6825c

SHA512
05499633e9a24bc440c98e3054a4edec15bcba8ce780177d61e55c4b9d4d3eb22d2bda662a4f5ca6aae17ecf35f2840e98d7b38369b63f864db5949fb6f5086e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584522.TMP
Filesize
1KB

MD5
5e5732260d08cea2e0fe215ba1b075e7

SHA1
df017c25a161503b83a674cf38ede209d7053a4f

SHA256
f307b195ee6b14741c9a3d26e7483102648094f91024cf58818998af09d478a3

SHA512
ed2ec40266a528d9d4fef38eff5222a1fc3f29de29bc6995862b9836a89cbc1ce9d73eda490c7b71be77a2634c02ef280af6df51b4ee5b8e5c85c666812fa5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
74a7d5c9c3810c2378730ec95cbb9ada

SHA1
5f5c85b4e3804dc4f7a8a762ffbaf8dafe4f7a92

SHA256
210dfc6054772493436e5236863a60b5bc5906ca8bac0521fa2d36d45fd802b1

SHA512
53f81a5a1e897e4d4a45505252a76259ad5fc92c29255c43afe20d8bdc67dd37a5c86b0930afe397f33d64e4e2cb53c06e360caff6b955f23e8d3d68d05ab880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1a8f95307558b4425bf53d02e29dd6fe

SHA1
ab5c4bc6dfbfd6ef36e0b59794c4974d74c877e4

SHA256
35ded122270a5ba8f583de4131ca56495541cdd70f1acdfbcd25d6f1d4859b16

SHA512
995c4a17aea9188e1f7210245cb93f14b40bd27511131db3aa47fc9de75cd1000aa74f831fe3d34dc40f037bfc57aae50723425e2f3f7591ed64d372861bd461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
5161ba0faca8e4ef3a1ac18e761e7d78

SHA1
3f2de34f799ad6489bd00d5dda694658c54289f3

SHA256
ffd84648b459da4f7826041e55f2314069d26f885d897152c214adf9b6eeac74

SHA512
7138c7636c0976059d82b82a2e70f619333b2223e4ed9c65cb5e80d9417a6c008f557f0b05ca0161526cda1b93979d2976bda2bc17c0c2bc79cf281cfea94561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
18dde1279a6f6e3ee28b2b7789690fa3

SHA1
7a8a74b5d592cb6443ddfde58c2dfba0d5b96369

SHA256
078270e565f1f996e6412620478f7cc939f364cccfa7e20109e9f2485ba91d13

SHA512
3fefc61345e6b5d66020101fae4a458b80b184fae7e0b7bc2eafd2f2a39b0dc8bfe27dba611028bf384b08bfb6afed5d5bf69f9faacdd8f11adaac4ec0c78fb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Filesize
1.7MB

MD5
0212ba7b48d0488e6810efb32b794b50

SHA1
9f8aadc35e16deacd1f55ec9ea4c68d54c92e524

SHA256
5789cfce157c338710d5c6d8a1427166eb2e26967f1f9a29288fa054814f767a

SHA512
d006c1f1e5f111d117fe1e62c7596dc32b5621840344ff175eea9d91a9d85beb33d5a9a1421ae8e9d5f939d8ff8c3704b2a4093b33c1ccf3b68625c86491a76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEosIQIQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\Downloads\AwYY.exe
Filesize
212KB

MD5
7a40305feae2dc9231e8c2635bf943f1

SHA1
a65ff48a64e47a22261676ab4d8e073322556344

SHA256
e0850314b40211395b8e96bda6d3116d9eafeb75d8d328b5614e80a0d26b2783

SHA512
163cc0e814e2a3232a48f5b7d5d146ebcaa52bd0d7d8044bf4019cc1ff6b4a9bc0cb10583ce94659696a698aad30522511c26584e27f21e832c0cae9b5470a41

Download Submit
C:\Users\Admin\Downloads\BAUm.exe
Filesize
196KB

MD5
caf1af5667d27376f09c0babb85f64ae

SHA1
f5b2aea0836bd245d27a8c8b05c8219bbc6ff39f

SHA256
0120b42e19bc29fd567dc9935415707b00e0457187e955b55d4891eea6f8ced6

SHA512
32643b0f08d056e4a72bb18356d44505a7c0a727f506c9eb2c202f947835e7da497d1f93bce4aeab97015965ac8db3ba2a780a48100294c919be7a59d7bf5ddb

Download Submit
C:\Users\Admin\Downloads\BMAY.exe
Filesize
1.2MB

MD5
e3ba5afcfd35a1ee7a28d6bbeccac526

SHA1
09192c91a2ede55e766ba6494f94a2c86fbae254

SHA256
bd1670ae96fcf0e5a733e60dfab768d783f6b98f36e68a55905bd292b7ef2c84

SHA512
3ae765b61d4c944241c87d0901de0820f865a0a9e38f70aaf723d6dd74e0536e27cfda6a19a498405f49531e11c1d03e24c2b4ec06808fe4382500edf6d31457

Download Submit
C:\Users\Admin\Downloads\BMYc.exe
Filesize
191KB

MD5
9adace2b3c28a84137bb300755c3b301

SHA1
e74405d562fb92307b20382aa0109f8a9fd0460b

SHA256
2b1edd6c8f65a04e836ae3059a070b5b5dd15e3fbc15ad8f30227b6b7246befb

SHA512
b2113dd41be3aef875539fff309c3a1c977bc5db38a680ca32514964cedc5493ba31d650019bf3602431aa887aff8947fd18a1f9e78752195f54ef53a5315192

Download Submit
C:\Users\Admin\Downloads\BMck.exe
Filesize
642KB

MD5
a40ad51d501d24dd9583d9d79251c7f5

SHA1
14fbe575c0f3d70709167c579f49ba4ef0162538

SHA256
e53982ffb87f1d047e7db3d61c9aecbb5a4dcd88b2a944228e9c50c366b4a85a

SHA512
ff0b54b06dd079f7ff34a60b4c097be3247266ae1a6ed1b1c6881627261a25727f57e6d572d7c20847b74cb12dbc5dcb68c777056b245d9d4caa8c7495f5b0eb

Download Submit
C:\Users\Admin\Downloads\Bwog.exe
Filesize
186KB

MD5
a9dc9465309097151a8a1fe004f0c11c

SHA1
052b75f890854bb89266d4ad7a994ef1dbeecde3

SHA256
6299fe56672a1f56c2be77f461c1821ff27549f69afc2cfbecf2de3c75b03a34

SHA512
4c618e5dae4e74899f68933a1a5919a7f98284dcb635827040651301c9bdf8422814c314b82cca1a0bfdf47e8ce3f04a318a580cb60fdbbd0dbbbfd3e2ba5d21

Download Submit
C:\Users\Admin\Downloads\CIgs.exe
Filesize
186KB

MD5
39eecfd6a8eaff5e2ebb4567d32fb29e

SHA1
aa4818a76f9b1bf2c1c2bf0b8c249a1fad276306

SHA256
f6391eaeb68a1c5e4544bf26b0a65954de79d1f572de16c7f60616d7f1184178

SHA512
3c6ab527e8d05d68fd2940b4ca4bfd8ea72d9bf2c1adf4b1fd00b2a9e1f77c52a6ff6b4ce83c12585d755fe0b2792c55890c9065d9884bc4b424f2e81a58170e

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\DIoU.exe
Filesize
804KB

MD5
a2a2e7eb1005fdfd1376ee4e54b34e4a

SHA1
c941fde1f2901767597a06c624d3d9594388dd84

SHA256
72c27fced0bd747529c1d11c10da5fcdb0f861df5e8e12854f6cb3435d8cb07b

SHA512
05ae1d61d991b14557de34039d2377aaeff3e6c85c53f868c322b647d51a6710fd7396c8e400884136611243671f447abad6ab412dc9af075421e68a44a77a63

Download Submit
C:\Users\Admin\Downloads\DYkY.exe
Filesize
193KB

MD5
941844315810144182897150ef92e1a4

SHA1
1a0f05deb1d860861a2bf86fc9f192eaaab40f9e

SHA256
1a056d6a181f636ecf79295c8263eef93e5fc2a076b4e272ea29882bed828fca

SHA512
e7ff2129d64fd604807c8b2f1db47de3805ac5f10118d14cf880d8933fa03cb6c71866f10530ba0d63495c51e710f51b3496b9a71829a8a8cd98fc8bcd172fb8

Download Submit
C:\Users\Admin\Downloads\EscK.exe
Filesize
236KB

MD5
1e7c204dcaadd110b4a343a07a1abc59

SHA1
f6893b166f79d696edf5b07a8a8edf70ecbfe7a7

SHA256
78d91404cafe915aef368c0f7019cca7e869b0f7aa54571f78352a0f8cd482a9

SHA512
e611fe236ce8805fee043e2a737125309e1e5042e91d689252dd61c2fdc115bf1c1d0ca285a171f6dcd5ed963d66c8919745d4eb6e8e1cd4daf4de106b3220dd

Download Submit
C:\Users\Admin\Downloads\FAIO.exe
Filesize
200KB

MD5
bbbbce64ceb39a14c42413f6c360ed11

SHA1
52c2d3293120a15d532b3df10fd69ad0e3c072a4

SHA256
52b53bb6c402c97ac3eb0e5f397a17ce0e955a6a492cadddbb212d6508139168

SHA512
7c0446c915e00fd1a96001df84fad365726278a8264fe483718cd1d6587323f82b9fa548239a7890bf3075e3dec3cd165dfd32159894e56ed6b2be8e73da67e7

Download Submit
C:\Users\Admin\Downloads\FIQK.exe
Filesize
205KB

MD5
d9d5e31fcba655d41882071c99fd2f74

SHA1
34ec52af6f746b8756f3569d840a3701bd029dca

SHA256
895508ea344044b928ec9a779b7cf112c2085e129829664914f157880a72daf9

SHA512
d055791537ed8e5c1024033045bd421357deeabab64a55160088f96a3cb6f8efe3fc1d00abc17cdd05a2fe61ddc3e116d10780b77de00fedb9f5b19b2891316e

Download Submit
C:\Users\Admin\Downloads\FUUm.exe
Filesize
354KB

MD5
445157b1f3864b5f1bf4601f127a9002

SHA1
00e6f1c6a96f14c94b82c968cb518985cd868dd1

SHA256
c18aab5ec21dd9346eac32a73d3d39a42cffde515d86ad9489978aefc1f0364a

SHA512
7969ae572158c5266448da0c136083f1d852d9b0c3b01dde49ce3cc61b8165d6e4606b0f3de24a7f403f58dc6eee11ad41c1fb7454b3ea0f53e7114d6c353d33

Download Submit
C:\Users\Admin\Downloads\FYME.exe
Filesize
340KB

MD5
2c4fe4774b5f8a0467ef38813671c830

SHA1
e654cb091c25568c8d9f8a4513290cfe3ea15f89

SHA256
d56753dcfe4d5afbffaf36119a07ec0b20238ce844ddede5f49531f0affed1e1

SHA512
4f043526ac15489cbdcdb281afb976033c1cbed3dfc13b82a8420fa9e4f8fffa9fb50a4dfdd4a4674b8c1fa802fd16cad222d9f6b979b7e8590a59542dbca34e

Download Submit
C:\Users\Admin\Downloads\GcUu.exe
Filesize
200KB

MD5
d5746c1710ece81a77bf35f655f9552a

SHA1
8c92e228a22bea7bf6a4f493fca2e3625b2617ec

SHA256
112443b90d9fa6826363ad55687f4c88be85376d828fcc4059ab1144da438b8d

SHA512
dc16a37ef217d6ca4a40b127738911425bdba54333e37229c696d4034f6ce3d70673bfc76cb3be0bdcd9d0a7d1eb94fa08d66e195b872ef350b0b8f6871174ff

Download Submit
C:\Users\Admin\Downloads\Gogs.exe
Filesize
209KB

MD5
ab8963c4cb795025ad4f7fa232a617fa

SHA1
4da363f48671af3bfb8ade42b5b5b2d60e2f479b

SHA256
2dd9a4f51f17ce795b87ca8c1a393f1b52c7918458babe58126dd601611790a2

SHA512
c87154832cefb72ed1b4b73a869b8a00726805383f0c076c315975050742c5dcf0b27b72eb89677f9ebab321495a882df5c2cc04bbb69a58bbd73d43820c8df1

Download Submit
C:\Users\Admin\Downloads\GsYy.exe
Filesize
645KB

MD5
8f495c32d873f4ad6b335e11874d6dd7

SHA1
e998f0ae7173901054cf16c46cc365a8b6aec27b

SHA256
7ea66ada207ba52e40c3703d8e1dc3e47aad7e058098dbb82ec19c468adaf68c

SHA512
e6d18b6131e00196ff6ef325052be6ace2669b50051eb88fecb2b3908628a3e8d4a47ab7f05896255fea2470f928783ae09f617ffd6848ae796a6ef337c7cb93

Download Submit
C:\Users\Admin\Downloads\Gskq.exe
Filesize
223KB

MD5
ada2088820d20d0e9c3a60459570f9b7

SHA1
aaa9f3e7d59b97769df2ee75e624db5a8272cd8d

SHA256
e7a98846a88a0b6377d4ab7562ca84e7be9cb0f6693ccf35c22a3d65c2937c67

SHA512
4745cd97ece57d7204ab5eccfe6b48fd326c4a549a6fc8b1ff1d9810238eb4ad021c5591432e425619aca22f980f825cb45fe4faa6b8c8064747e0d9df4585a7

Download Submit
C:\Users\Admin\Downloads\HAMI.exe
Filesize
190KB

MD5
d78ef62b449e21241225a6863fd2fed3

SHA1
656088cc922c8d145acfbe87e637c773e298ab36

SHA256
32784cd68399191e57220429122be6c95b1b8e14a7e9082f9a9118873e77dd71

SHA512
b3102f45cead750d4a506421ac370eac550e29e955b4c9a5f3f66a14fff5f4ca1537d7ff77955a127ceffb6c60cf09ccdb65af491fdd373330ff54709ab9b625

Download Submit
C:\Users\Admin\Downloads\HYMO.exe
Filesize
204KB

MD5
e0c02e8a1c803e101085197583607c2f

SHA1
721b7b18bd6e07a83b7cad57b4102289527c967b

SHA256
9a0eaa8438d04ad73e47afee69e922640342f4f2d3529950a988c2919d163437

SHA512
77a091b96b6efb1bac8ac30e49f4de0a4ce1e754dd52d87e1d4e2f7216600066b2f4452f31807844d9befc698ed85fddf7dc9c92703a7b59b12ce41d3b455d47

Download Submit
C:\Users\Admin\Downloads\HggQ.exe
Filesize
201KB

MD5
6d6345c4bd300168037335b8f6be2912

SHA1
1d4a3b20cfedee0abc811c1ccaf5652c5ccf100f

SHA256
6c6d1ecb0de6d61a1a0b8e4beef9ce9da6fd0b5f5a91fff037d35616a3dac2df

SHA512
7a03bcd7aa6eba7ab903fd22303bb98dba5731f4bbc7a4d6e59546cc38e4d3a791328771949c3eb3d26b0f34028114f0d5865748e07b546d7aa0db5d87f5fa27

Download Submit
C:\Users\Admin\Downloads\HkoI.exe
Filesize
319KB

MD5
d84fba798121ed3648e22f41d75fb875

SHA1
b3c262ef8bb50091b4d8369f9c6da3ff9a8ff0e8

SHA256
77879289c7ac42bbccd0523f61b1508d567bffd63b60a9f4ade58b6f37cb553a

SHA512
0fb1cd6e59c122618489c8b4488a5c94303d5d05b3118b5feccf2e23fa7a209a08539dc9b664ae532eb06fadc0460179801bc539e27fdb1e88faa724d36a6831

Download Submit
C:\Users\Admin\Downloads\HoIM.exe
Filesize
210KB

MD5
feb8e3434b51c462860969a715a7036f

SHA1
509ad344e32543f6a596733ef568f321f9a52601

SHA256
d737d4f3c6171e8cfa2bca4e1036fef55d91d858085d30a16aa34c6311a304fd

SHA512
a604b347a31bcb3e6d2327e82a3025f7272a1caadffd4aa92991df7cc2603333b4d498c3df55ebe0bb9d22de021e722af3c2d8e038ea3b2694a8314be333a341

Download Submit
C:\Users\Admin\Downloads\IwUs.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\JAcs.exe
Filesize
624KB

MD5
dd5b0359f4fdd34fceae1cd12168ee33

SHA1
075c279ecbbcacf90831a3939e1f5768306bf2d5

SHA256
7e1d2ca150bdb775978cdad67cecb795bfe3094af39fdd244ff6365e9857ba8c

SHA512
64a631c2111c7eec751a25c8128b0ffef2f7977d11b15aaed691abbc8ee61e94fe1899a204947dcfaef7a673c8b7e9627560e2590187c835ae174f70c44e10d9

Download Submit
C:\Users\Admin\Downloads\KsYo.exe
Filesize
199KB

MD5
7d5cabda479538a87042194e7b86a7e8

SHA1
73b0735d19c157cc7458be99de6f56e0dd595bf1

SHA256
870b763872de691579cdf6daea3d1113728f22e1faf94a60bed623ff7d19db6c

SHA512
ebfb31b38277bd38e0caa5c57d1672b24187f132ba43fb1c4ce17c9ad74dcd9efbf429532d1dc04be5a8319bf28b9695a1600e98613954c4b05105cbfe4abf79

Download Submit
C:\Users\Admin\Downloads\LEcE.exe
Filesize
190KB

MD5
3188564a2d7e6ab2f86bbcc3a0637037

SHA1
5e7814435f3958a012962f3e11e55d6c41a9fcd6

SHA256
474a72f13c9790600e7745732d03660e22d78786bf651bed4b9ffaf0e404f3af

SHA512
2dcf3f87b539b971b577d72cfec910568374d7bba7f11c81e91e2c01f8bb97fe1700ae1e69f4222aa5818a1230c2904c60d37ed01e45d4b00b0f88ed269b661a

Download Submit
C:\Users\Admin\Downloads\LIsu.exe
Filesize
240KB

MD5
74e5c592c41853def2c7b2affe34d395

SHA1
af59120264b340894e285153fb4891375a6ef597

SHA256
66b46788e30a7b7e7b6b5639bcce1e3340500cd7c60573236b201523319b817d

SHA512
deaf12186bfeea74b4f9ff024369457cfaa6e1af59c2506796c970adf4c1a7890103da641e5b01cb9059c15c9aa569c2bc7651bbd3fc37dd484e5f2d1a45d1de

Download Submit
C:\Users\Admin\Downloads\MMIK.exe
Filesize
190KB

MD5
3d7a92fa65f3b192e269af1aa3254f60

SHA1
c05b7ec56284af240715903e377a54fe9f35cf51

SHA256
c24c5d499e44a35d624cef256f553b20cfbc70bf4e87d7d61b7d61a7448a21a9

SHA512
2b9db6323141fab787f3b39437cef8104a886db1fe052a3da10788ffb3499f67078c375616d3f4c8c6d49222568d94ea0e1740d24701a4ec0f29716f64d19f8d

Download Submit
C:\Users\Admin\Downloads\MMgS.exe
Filesize
202KB

MD5
8fc55537b150749a83a9ecd9d483589e

SHA1
64e279c782575374bea988c40493d59c81d05b66

SHA256
ce9df838b905db1d3cda6d79b17fed5b42e039ebc1ab12388a787945eb906323

SHA512
184743bf6df232cb07ea9ae8590d5dde4c32dab92a4cfb007d4af483fbf43666c4ec763c287d24758355a0da0b1db6c4f7eba71c56b8dc35bc31eec11cfc8722

Download Submit
C:\Users\Admin\Downloads\MosU.exe
Filesize
608KB

MD5
77507b01d87adad1b1368ecd429739e3

SHA1
8e6669e0566fbbe02eb4e7bf4d8b3fd15f32b484

SHA256
8a14efb6086b78d03a6d0ffd3989b517c521edb498da9c8b2532e668204fddfa

SHA512
ddcf2eeacda2b74ef8c14ba9d377aa012dc931aee1efecc82c7eeea5cea378e7de7b29b80ea7364a3b9a0f6f354cf21348782e2b0ee62f4085b9b4f9c6fe0c9e

Download Submit
C:\Users\Admin\Downloads\MsMo.exe
Filesize
191KB

MD5
9377f5c2b51d01af47843f76ff63a8c6

SHA1
22ec85d53533e155e83238a4f19aae0f23d5f9e5

SHA256
bcc2d21d1ee2afd9abaeb6afdf718a00df7a35b6e5a68a49e988ec1875b82765

SHA512
f7fd5817cd9f5b900628933638422d471908418ec3f979bf99d0684f9786e01104dd37a2b2c05da07c81cd9516f623387ded89eee733fd1508d20e18bc79d35c

Download Submit
C:\Users\Admin\Downloads\NIYI.exe
Filesize
206KB

MD5
7fcc67643f7f1ce92e6be7a58d5f6d6f

SHA1
fe5cf4aa273716636fc61b299e641c0a13be7321

SHA256
3dd6e83bfa38855c00942d1cfb807ad2e85abd0cd1700f612de64a9a9a3de0a1

SHA512
f24e6146809c6c0a2e31c4fdde7e3c74e573aaafd6472bf2fdf861c7cda2bb5d2a75cb2afc76f7ab7682a1f2d0d7053c122acbbbac7a84dc9e4499c38f84d109

Download Submit
C:\Users\Admin\Downloads\NggI.exe
Filesize
199KB

MD5
4c675fb7c9d738254f87ce335dbb20ad

SHA1
ce631bd15e3097f061b6c135b637653cd458fa76

SHA256
1effba6ff3cabec23fcdd9f624634d545f22ab9af27109b761b0951e3b6522e1

SHA512
553d0ddd1f2083a455dbe1b1075f9f046beac6e593ea8a187eae8b842e1f535f7d2a1b64e3c7076700922686261fe5a689de2cbfc2520511a40286e75b29ecbb

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\NsIm.exe
Filesize
650KB

MD5
e8ecf859b17a68336bdafd87431ddb3e

SHA1
daf2faa5033ae0c543d71a72405e77a23b70d00f

SHA256
db46feacba743328013429712450cec385b3388e8ce5a7f5b0d60cf465e4722b

SHA512
7ef64d18e9d4d51d0d40a02d11d64910696f9f88280778969cc0e27e48ec7196c2f1529d67256a4f0bd34fa1d5644f09361dd8f4cbb870147f3cb96d12071cdb

Download Submit
C:\Users\Admin\Downloads\OEQG.exe
Filesize
193KB

MD5
875f6ab31d0804b0510bc2c14e3a13de

SHA1
80ce52c19c80fa14e4adb664e8c889191fd3568b

SHA256
1da9726465a872ae001cc59328c5fa07a0e75b2cd40df1a9261e40e0171e3390

SHA512
38503a081f0558750f07d5c62c3ed996bdba8c63390239865ce2e132bf94f694d112e51d4ba8b3d10a719a8fe4e2cdf4e41c916615057da1c8c8284627ab5196

Download Submit
C:\Users\Admin\Downloads\OUIg.exe
Filesize
741KB

MD5
32f6f8fcf8ddaa33e787887430d8e4ac

SHA1
d881491acab59adab709e55cd23386a86113e168

SHA256
545e762bce5f4693117ae66bb50fc35c81ca28db750a35d1d414332db3f5473c

SHA512
7e7debc3570bb2586219769fb2361114dc544601f0e52c8d36042594605908ca46176c4a0b458c6a873a261f766a8efb9ccc029ca3d23550fd32951626fbc09e

Download Submit
C:\Users\Admin\Downloads\OUQE.exe
Filesize
184KB

MD5
9c6f0a83fe601ba60b3f4058ff247336

SHA1
e72617c9846e2fa15064c712d9740d6aee4832dc

SHA256
e5d0b43096015edcddb5774a2a280e34973e291087a1552465e71bc6cf23d6c6

SHA512
af01bd3d3148078a2e1c58db6e4dc1c7e5319739cd000e695adb36a6b3bb112fb0fbce7fe2d7561042f35b9a62943f78581ed015ab4252a486b08472e16d10b0

Download Submit
C:\Users\Admin\Downloads\Oscg.exe
Filesize
196KB

MD5
ecaba3ed5a1697734a9e45dd1ea3351a

SHA1
8f1172e5ba041db251ce184e3cdfb49938470002

SHA256
4dfcb8d79580c6e74ed3d4b7418ec2ff839ecf4cce02c644e363b3239105d49b

SHA512
11e50f3224f8c5af000c94a2738c2684d3ccde3af7e8bc925f3283a3d84cd84ae7442e84a2e71514a91cc89a798006736ec59e29c5aa5806b12c13c859f6cc2d

Download Submit
C:\Users\Admin\Downloads\PIAq.exe
Filesize
826KB

MD5
ee3521065bd01ef5fff0b3a6046850b7

SHA1
39634f3d01afbf375f3cb99d5c58cd3d6a0fac80

SHA256
84682b48e29297e8126e9c4aacc1cd90c0bb1bce6857f414fddc8c0065c1a3da

SHA512
dfbec027360966120de8f5328ec0ebe39771be4def40f5f14fbe54ef0990440402662b6ab577d92581315b6bf7b1fc77e5339991db4df66614e2d95fb5b6eb7d

Download Submit
C:\Users\Admin\Downloads\PoIm.ico
Filesize
4KB

MD5
1097d89b9f8ffe7c92f0574f4dfbda3d

SHA1
b1543f2204d93ae2dfbcb1ae9dacfd910df0e8fa

SHA256
0c344127fc97373520a16b3f27c97914b56122a7a57c6920ceb6083274f4bce1

SHA512
cf83742200a8e75831b3b65945e3e002600fed62430a3f03a3d12826c35dc40e1a045ac5532d757edebcd542cd2460e3a1b9d906eba6d150c70e80d29329f507

Download Submit
C:\Users\Admin\Downloads\PolyRansom
Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\Downloads\Qcou.exe
Filesize
5.1MB

MD5
768f7c0c3e53dbf35f6eb1e36a398890

SHA1
fe762e1a582fe3a81827618fafb98c4671dbe229

SHA256
5d606076f7419f680c67595943dde39790d71744a1aefc558aa6f73d76a227aa

SHA512
9d05b4166c65fec7679b8f38572c8ca887ca9481f45ec6e7083743c377766d7af3d6fdc511006c94e36fda93dec0cb2b6a915551ff6882cd73ec49b08184d2b8

Download Submit
C:\Users\Admin\Downloads\QgQU.exe
Filesize
568KB

MD5
baf363dc7c8a25ac94f80b0e9612980b

SHA1
387c332edcbfa0d368c77d0ed100da62090f01c7

SHA256
4329777590528c1af8c62c9568c584a3162f778d94e59951a761e46b6477c170

SHA512
8de394e5a0d329d8e2545bbc2fc6ee98a9bac7ca906d4fc424c53088397860aed93f9c43658f9c3674f1b5e99af97c989cd7ef865ae078a4bad9cdb7d63470a6

Download Submit
C:\Users\Admin\Downloads\RQIE.exe
Filesize
194KB

MD5
882a092d082fda96b7a22a59632b9376

SHA1
f549b33e1ad09e6994847ba555d99472ad60fa87

SHA256
611bd77663ec2ee2d66864966311f36d6d0c3130caebb02167d1f5c31cec6d15

SHA512
1e5da282fc4f2152ef8743f2b030d4ea6b4f8196b554afe2bc01dab5488cf2e341374bd3f0d6a07cce035219151fc97bce254a8f44d71cb0ff749928e52d22c6

Download Submit
C:\Users\Admin\Downloads\RYsO.exe
Filesize
204KB

MD5
25894e728b3ba26e8aa673951ad14d15

SHA1
06642f65cc6345909d85f0c170e3a9267d99899c

SHA256
dbb86cab4a8dd2df038b451c94a8c74dea572f0a4d8fb8bccb33c209fc952425

SHA512
c519d60749b0b63f19d0ba7881d03c0fff49b9a26791b0710fa062ea7d892e40853cf915e87dfa5b42fe40922b126d047315d7e0f05c90fd1c60cfae55950857

Download Submit
C:\Users\Admin\Downloads\RkMA.exe
Filesize
192KB

MD5
4329031419395719aaedbe59ce1697c7

SHA1
5ccfab8382d73318fed9c18cc5d5603125b75991

SHA256
8f0cd72d226f450711a10ae50e203c68dd53c29139173df676f2bf6cf6b6fe97

SHA512
7577f4e21e931a3e67dd75659a63bfb097e64822fc85a7233b0d39dce2ef62af52148c69d9102f3c24c394a22cd4d1fdaedc39cb6e444ba48a1efba828e5c3a0

Download Submit
C:\Users\Admin\Downloads\Tggi.exe
Filesize
298KB

MD5
95f4b32a7ade337d807b0c8a5ef0132d

SHA1
1169f57a0c2ef878b25b643e421c032234a03d60

SHA256
0c837d322a65a38cad079d2998a7b7ec45c9ff097fb01cb6d4e01491deaac1c5

SHA512
fb43c8a5942e26cd250033eacd97691aed9f63d098b01932f6173307b5ce6874021a533bca956ae43caa117305aea5143c20d0724117d7626f51bd353dda1004

Download Submit
C:\Users\Admin\Downloads\Ucgc.exe
Filesize
192KB

MD5
be614080469a8975271e0e7c8f79da29

SHA1
55134995380a5ec3df733b195101ed47ce296885

SHA256
8d99b44c6e9bab48d68f21a45990699a0011c91e270b915bd3acd0b4fe3d0cac

SHA512
e4381b89958227092fcede504bbd4958cb2fc98ee63a5c18617541309eba832a6991dc9b6d1a9c1ba82adcf1830fc66cd358e06e22ec5c79d017f8fbeab5b0f1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 229421.crdownload
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 807567.crdownload
Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 910465.crdownload
Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\VwAo.exe
Filesize
205KB

MD5
bcba216d1bfc8b3ab44d5a65e6822783

SHA1
be980b3352c8577eafe52541d9f3b648f27f91c0

SHA256
e2a9bdb4e9d1ee1b59fbc834f9b7b596d7b8c563748326ec84a38119518ddac2

SHA512
9e3c60dbdb4f0f194af8dc7a9ece7d11753c297cc20f5dade7d17d4ffedf6c6a95785d4d95c876a4367f7e7183f4aa0a8f63cb09b1b31867a7ce34ae4cfc7c81

Download Submit
C:\Users\Admin\Downloads\Vwwq.exe
Filesize
346KB

MD5
5eb7d5940339e3d0dfd2489ab89d8114

SHA1
0cb1c89647fd79da4de0c82502f389439cbe66be

SHA256
c8a21a4d212dae04572ba1f46e7f4211372535c88db83683045bf32816832856

SHA512
a5fdc2aad215ebe495add67e8777cd960927152bbacfdec64f764685dd35400e3ff1c8f2c8ae12a9566acd784dba3c0f2495e61671041cd802b5e4407e7dca23

Download Submit
C:\Users\Admin\Downloads\WAYq.exe
Filesize
313KB

MD5
bbbe36a9b558fe5fa186e7cf3499c527

SHA1
01902f5d2d62006e9e6607db8da9162e7f30f16a

SHA256
5b0f0037f98409464656fba75dc7bb7ec3baee699fcea5478205e16118e2181f

SHA512
0db972bc275b4ee66c67a2c3cadf14b85dc86edca6416a20f6f4cc458d3c7ea022d6c4c72784378c2a9df4e0bd96e78969d5a27850162a6b89874f70b964e7b2

Download Submit
C:\Users\Admin\Downloads\WMwK.exe
Filesize
189KB

MD5
4ec5f64c3613acdb7b2d1a7f52c1f080

SHA1
de187b144df27fa128b8f6169025200fee03ed72

SHA256
a713f48c9619d325362a147387bb7d52151927b15c2e02aa3aa0ba96c12c9d55

SHA512
4d581efc878e5064a0641e10bc2281bca56b255e9ac9bae6e13413232494609439912b184281a159d74044ed3e81f1b70c9473edc032ba265b9b0739d7da09e6

Download Submit
C:\Users\Admin\Downloads\Wgci.exe
Filesize
6.2MB

MD5
a4e61e9a640210bea0ddb31acc471e50

SHA1
b98c664305f1c3809ba33b067c5f09933fb4e49d

SHA256
74e42593c1977708bcd1d48937784969ef5598723d6ad0fb666450be3d50a8f4

SHA512
1b7a0cc4c8a2b999112ded099b168cdef0a6cd3e83d859c21687d0c8a1c525136ec3e3b7c43e6d9c583a9aafa4aa2c14faf63eaa9d6d4c9407ce7b3e6d8c8c5c

Download Submit
C:\Users\Admin\Downloads\XIMw.exe
Filesize
1.6MB

MD5
dca9d26d24a013d2bbf5224f2c5ea914

SHA1
b6fddb0175b099f1b052f80e42993e58701fe463

SHA256
9ca8ad06fe093df206647d1b5b92cb46199052489d48bd8bf4dcdec006985acb

SHA512
736e0829748cfe8dda4bfb566d6796b7abdf3203f5e98bd3fe72c60a589e65b02b7c77cf3bbeaaa92419e838047fb2a197293c76ad91d083b45d63ec08034074

Download Submit
C:\Users\Admin\Downloads\XQQO.exe
Filesize
186KB

MD5
38ad4d452825636a20f514ee64d22772

SHA1
a956912cd9736afa0189b4aad8267643b6310b35

SHA256
6a00d003ef0a486a71fca1d04d4ef5ba500831ecc77fcd36119cb0393a738817

SHA512
59a709aa52ac683cc630f0e878fac127add2117f7243c1ae5d699991a85291a00e0e9fd8a644724a88d8125d20d10bbdd720c08f0382385c5bdebdd919f4b500

Download Submit
C:\Users\Admin\Downloads\XkAA.exe
Filesize
257KB

MD5
f64bcd03c7d5a65064fd5a8b1fe9ea01

SHA1
dd90c48088403c67ae407e0e9cfdb0c3f7403160

SHA256
cc0589d32c28f333f0a4229b3c72165c166ec927deb070d90b72fcaa0e5937da

SHA512
2e3ed37839a7daab335be3f599e16bd68f3449a12e74a8428610d91b0d65d140574dfb566c4f12b09c0c6e5e343eb2ee87d49f2e0232a22b3b9d69618964098c

Download Submit
C:\Users\Admin\Downloads\YIgK.exe
Filesize
220KB

MD5
7e6de1d6d7691b58822977dce42e0abd

SHA1
4e08de6cedb8950e4e85f18938cd6eedeac59cb4

SHA256
b04f8186745db4bdb774e3abadb3fef975b7bfeca1d818591f1c5c26837a11c8

SHA512
643718d4a060c3a9e73dea96827bb76ababca4274a6022a366ec15e1004112657e1283e45f202adb403af90a21ff06fbcb2fc9eba2892cca05fec534a6c80a45

Download Submit
C:\Users\Admin\Downloads\YUsG.exe
Filesize
189KB

MD5
88018cde0975621a0b772732c5df53b9

SHA1
c5bbb12662bbe0f24359c06150f7de6df37ffaa1

SHA256
af6add198aca69faa40d4041b16096926fbdbb65f5b8f0626e5351ef49f7206c

SHA512
4e90d12c1b4c14a6e32976d1790061ae9a7fbdcd8acc1263a49dcf453bb978a7e1ae825967f51efe4922cf1c9c24de3d57479654c8e71e9825cbe18cc9e48059

Download Submit
C:\Users\Admin\Downloads\Ysci.exe
Filesize
192KB

MD5
c7f59271cd7c2aec99cd9367ebdc62e2

SHA1
db0ba86467229757f37461dae1b8e824e67835d9

SHA256
1f414e62e5b44a7be980cd8fc22284d3402a8c355fc5e1200b2d88b209f8bb72

SHA512
d655709289a04dcc73823c03d83a8f88cee30ba626a6091339ffabe1185fc80b3db37ade0a1e644a97213fd7b95270f9fc01a1686b1cc307fdab1c96a69ed8ae

Download Submit
C:\Users\Admin\Downloads\ZAQQ.exe
Filesize
296KB

MD5
0b588a7cbaf922ff620dd0784684e423

SHA1
d12eb7ebf078e59f16ae7c27ed330522305527e5

SHA256
c3f5f27607ee37567a32d719206d25e98996d9ec4a7ec938f002993abe9ec001

SHA512
1cceae500ddaa547fc0b5b50f53580bb7ae627a098b18400e8b5bda70b28bf8f309a55820b0c13453bdbf8f099ebacd3b33cedba2436220899c00f2f4861b2ee

Download Submit
C:\Users\Admin\Downloads\ZIEe.exe
Filesize
197KB

MD5
a67e3529d18cf3d001a8cae6a870b026

SHA1
63056630f99440daf6c3d47aa5f58ce76b65d373

SHA256
5f3be5b2d6cd4894b6369231b50c77287ad20e39890c093d8f82d0c37f9d2a3c

SHA512
6ea9acb4dca2ef08ddf4cf57744bd402909c4df159f8f4013334808e4b18825ae1135affcbe4e261ff559ae6fa1918178fe47d916f284544260d7df576d5fe67

Download Submit
C:\Users\Admin\Downloads\aMIS.exe
Filesize
5.2MB

MD5
81af35036113801e967edc0383f55c18

SHA1
62552b985ff1459d804d28dd6b1b181612ff8f4e

SHA256
9e1fc07985dede36a1d7e17b5e31bcb67ee99a2009d265c3df987f6a5bfb956c

SHA512
961a9ec26353ee12fa66c72d0674c9d72459c37b7313c9a54298f88f3f37c56e1235ef1462c68ae705d0994a2d182afd1f684bfbcce5b15307a04c4180d6e28c

Download Submit
C:\Users\Admin\Downloads\aQQe.exe
Filesize
206KB

MD5
8cd224b023f00875ef5f041b76c9bc0b

SHA1
f2d07fb511977789f3d716a3b537699056f77789

SHA256
d11be42e3ca4630612c2d461106b1c59a1b2a79b3aad8221e9dae412297a94fc

SHA512
e26bd9136746f21bfbc9d5b0789d2747c46a159ff581833408d64a1e27734ee9aaeec13d48f3b350a8bbb0585f11dd84ce5c0f4e8cb56068fc340f0f75a00735

Download Submit
C:\Users\Admin\Downloads\aYgc.exe
Filesize
277KB

MD5
650a3b8ea3213a8c69873dab1cce187b

SHA1
0b2a407952c1ccd458c5dc492755e1f7bb0b40c4

SHA256
fb439f4b89f61fa454e34c5b6ca4c2945fb374fba5e9ed335293180fce59f91b

SHA512
6e47a92946a0c174e92bf0aca59ba1e35cda585439f42bdb692dbbd1ee1d883e97ea90634eaada713e9807aab22e0e3033ebc3671e8561200c71650b161482e2

Download Submit
C:\Users\Admin\Downloads\cEUi.exe
Filesize
325KB

MD5
2d649fd863f32174811b349ff9a44c09

SHA1
c940497665e28d3ebf5c4d7a235f912277feff9c

SHA256
1da7a0e609931d719b1081a2b99d10f08f922e7cd2dbe59bb330a196aa0f55eb

SHA512
a176cee5a700e29b170b6884bee8e6c74f6f98367427230a897cd9429f3045020566e8ed39cdb5af0feaad42fef14485a43892072f5baf449f926b36bf46adef

Download Submit
C:\Users\Admin\Downloads\cQIq.exe
Filesize
207KB

MD5
a42627fa26288894b31c9de3a2b75721

SHA1
0d568fa1033e688427c080abf523fa4a3249096b

SHA256
676150fef8e243a3cecee0d341f0b0c40a396a21c4a610c72e7f116f6e5deec7

SHA512
50b9d35fa1979b012ee4c299f3405abe5d3389618e7fea1a069397dfa078cd97cafabfc9b1faeb692a0add1d69f6b7b9ad9e0a92d4c4588e11f27e984cc4ee35

Download Submit
C:\Users\Admin\Downloads\cwMK.exe
Filesize
183KB

MD5
2960f41e7c1b142a9ce0fe9a0988f6dc

SHA1
686eca5e8cf5689ec30095f54688ea673bd98fb6

SHA256
3b72a0f3f1ad0c1eb5a91ee9436d26d4667e5d6b3d9ff8208c830a7daada673f

SHA512
820b79d4a91894f99bd945ffef223014fda417fcc90e24fbb298aed9b746ccabb42b8583af55883de108e38aad72b419c57c1e4d777186daf294f607056b5ce9

Download Submit
C:\Users\Admin\Downloads\dEYc.exe
Filesize
201KB

MD5
a425f8dcc7eac343dc8907e8efd55f77

SHA1
1c0e686b1591d4ca54e9735d3418cbd018c17a86

SHA256
129b503bf50c6be5c38e960e6154d075bbd6a40be566879f258f5c7e3ec290e6

SHA512
6babd368ffe43f3a6764818efcb26ded29a8f3aff4699e10aefc711fcdd4f5053bbb4d1b8faf5e9745914409568e4e7ac53a783b7b93df24d10fd426024a5658

Download Submit
C:\Users\Admin\Downloads\dIkg.exe
Filesize
216KB

MD5
6125284a05aa2d1ecc901af4c88e0761

SHA1
8396a4bc2973a664c62fb706d80300183af970ed

SHA256
2e14023cb5955313a7aaba4dd716fde98ca71190ac3cf0261ecf460ef52af0bd

SHA512
a6dcf388b69596b377dfc92e1c2b42987c3e74010147a84bb839ee7aa59b83c00a0f079c3505fd5e75e06b87c1428526acef436e9910f8a506ef135f7a75285c

Download Submit
C:\Users\Admin\Downloads\eAgk.exe
Filesize
814KB

MD5
c0ef9b02017245800378070d9b059796

SHA1
418aaf0950ad52e350056b0d6159e5d0322bd786

SHA256
589a5ae09badbc884b9642e67dc3ec925b343f94e38ff8d267993f69339cc4cb

SHA512
9b144f38a16b18efd6fb3a5d3099d1af4e2b93d4afc9395d5b85c889751ea721781130f09d2b6e98378a68dc3c758ce7c7c7b38d6c7ba0b6a7fc2a42b9a8412c

Download Submit
C:\Users\Admin\Downloads\eIAk.exe
Filesize
589KB

MD5
63e9075f0fce7a9272805dffce5f36a0

SHA1
79e7c2be6b1aa088f55323ea3023455d712aa591

SHA256
8c60d9176c235687b3a555e0a7ce28ab6de526b80fd1c8020246a919ce21ecc2

SHA512
37647680eb61e3025c03df62dbc2a56b8e223ee97d37b2e59b95b322d940d3be6295a53dde6ae137f8c13bf4d3ba952f79234ee20644bdfc595a4e0382dd797a

Download Submit
C:\Users\Admin\Downloads\eIEW.exe
Filesize
859KB

MD5
3946d83e08820b7c6ba6a624eca1905a

SHA1
8e70ab3bf82ea1d9a2961b7825ad26599ce83f55

SHA256
83a7218d413de7ca9cddf8241687fca11e6735a61381331081e0230ff04b9cba

SHA512
c486cedf5d6e26544f88845a7d77a6a9cc1a643694e3e39b9a7006db8109c8f9d1918d72abd0ae3f1b5cf485d01aad280bbced370285b6ce15df8f38fa92b139

Download Submit
C:\Users\Admin\Downloads\ewYW.exe
Filesize
189KB

MD5
6fd782a203b2c809e1ba1ba0431ac92c

SHA1
0965c6297d879561a93de191d3def1581ea83e83

SHA256
50927be3ddd2434518bd9fff39584c83800bbf4525c334f812cdc8cbb69b0784

SHA512
505cfd80cd7989d6fb7095837d76df42a87a496cf2b12ab3401601a241f1c87e9fff3c1f6313ef1c1ee40cd6c7116ca061c1399cbc2e006f2fc5212a81625a1c

Download Submit
C:\Users\Admin\Downloads\fEYk.exe
Filesize
185KB

MD5
53d1da9da970bbb05938edbf37916a91

SHA1
980cdc76043439c43e6cb39895f6e9b6b3119d9e

SHA256
4efb82ed65ad4649f936979da1715436191012662df09a76f580a7d52e8316e4

SHA512
6da8a2897b5be1cc68d0ecb8095f98f23950716996c83def738b63e6f99479d3668b9db06649bb39904976e9efeee2eb23d6a1d07ba8909a1c1247448afa83e1

Download Submit
C:\Users\Admin\Downloads\fEsO.exe
Filesize
548KB

MD5
c67ecf223593f31b8ed705a630674f71

SHA1
901c4d449103262dc67014626991a4ecc8b6878f

SHA256
e3e7a69926ec3d25309d78a858c5fb95190d7f5c771ff7113cc56d66bb85558a

SHA512
5583b4481a3469f66ff9256fe80f5ced0391bdae504c030c0299f851e70e40d260d7e119bbd8008cacd3473da0782c8dfbb1dca722d73330b11125e56f2a1a7b

Download Submit
C:\Users\Admin\Downloads\fYMO.exe
Filesize
188KB

MD5
30a6233c2d36486e79f8691b6d370bf3

SHA1
7ecb8a951f6cb2944d6bebdbd1cf229f261a7238

SHA256
c8ca204a1bfc19ab034fd991d42ea34903105728e40b2bc8a23e1700c4fa2e6c

SHA512
e6002405f726b91f930035ca2daaeb43e022551a4413e499fab29c85988cf917ae5c908eddb7061017ac4abf98c218747057c4f8b77a3c823996e6bf1f3b7c33

Download Submit
C:\Users\Admin\Downloads\fwQC.exe
Filesize
210KB

MD5
5730a268364047c093dbe3257d3cfba3

SHA1
ea05ab944d03667a268e06e73482d0e557d7243e

SHA256
9190941af7a88f90e3ae323596d74b4783ae7856a5b953f847eab144e1c12f72

SHA512
2da898e9f7cadeae67ae573b8eb1369b6ce6ef6521df898c942aca762a345509a19e15c9ee2d05696eb1c2fab54b39af68eef9fe29f0ac5f86b4dd80f90948f3

Download Submit
C:\Users\Admin\Downloads\gEUA.exe
Filesize
180KB

MD5
4d3accb0fc4a86bf23276e5e7301b5f0

SHA1
ef563df4a32e72dff8e55b12621661ddbf48d5e3

SHA256
bb467cdc70f43ef6cca84a7001b7f2dca24ff4942c03d3ffbabda190dc1fa1e7

SHA512
6f0e3d9d4693de68f7c6ef164e4b15bb396ee1995fdc72321173a872841555f17ba37fb15b51feef790c5179740fe357e113951e49b81b4160a6762112a7e1c3

Download Submit
C:\Users\Admin\Downloads\gUwk.exe
Filesize
203KB

MD5
deaf69afd49cd04e62b14d271f27bb85

SHA1
69f64cc3487c50d53567d89bf0a4508fb1b16aed

SHA256
36ac28d8ed59b8c1f450b5c06e62b9f1099e5057278cfb56c938d9d4051861a1

SHA512
cd77e7c76d83d8028ad3178a4b3ab2d70fd3ac9b36d5df4a03faf4de0262a62f624ca5ed3df4e730d1a0582275d0e5b9e4dcb14e352e12966a2fdefec3237b2c

Download Submit
C:\Users\Admin\Downloads\hMgy.exe
Filesize
461KB

MD5
6781ff3ba952fb7d89c9f6962089b676

SHA1
130b1a628760b4daaa34fb63c10779d31715557f

SHA256
be34b9ae5786906103cab4b345a470af83e22a8c9abb98183e7d228ca590ce56

SHA512
1055327b4a6be6e6038e96ac311d4448a750ee33b6e0a79693116be0f5ccbe7555b54849c99d14c8474169916d6a544563f17bb96f76fb0697adeff5b92de4e1

Download Submit
C:\Users\Admin\Downloads\hQki.exe
Filesize
207KB

MD5
14aac62cc7c3c841684baa140f42adc8

SHA1
7eb4390080896a55055ca59284ca6350b5efc633

SHA256
2e3087d1ac2974bc98e75a98cd470ec99f6fd72a7dfd10a874be2a99fc5af851

SHA512
81418b0f6b3bc17df2332d7b0b5f10ddb8a7ecb4851d293e036116a9861892d323d9c5e4e96bde2642a9ba990f1f16828823fbf437745944bb2259ed1f48657c

Download Submit
C:\Users\Admin\Downloads\hUUw.exe
Filesize
189KB

MD5
a947080390ef85d772cb4b7cdf8c13c2

SHA1
078ea237b1143afc3bff01af357f57cd694b9b13

SHA256
6bdda413ba8c124f940ce68752c27aae6fe3be322d2834eede09cc1557c44f1c

SHA512
71aa71c64fdfd5060691d804bc647b16f3590445b692e51acc1ece30e48b512d5e767ea60b1250886d0837f1edb03cb5c49954c9563bf0231962a379427d4505

Download Submit
C:\Users\Admin\Downloads\iQII.exe
Filesize
220KB

MD5
e0cc05df91d095d0ebd65e621d787260

SHA1
9773db80764b2c8ed209a6d7c96c8c5021d791ac

SHA256
59cb0b87448688c4476122dcabe24267b6aa8582b203610eb88368d66ae6b2a0

SHA512
3b9e042907be2c98a0780207a4b156340677ea33d8434b39bdb4b44953c266efb1e5f6603f2dfb029533fecc282fcf6c7684a7a5cfe65066a621f5bd270a2c54

Download Submit
C:\Users\Admin\Downloads\igQG.exe
Filesize
183KB

MD5
6d0601d9eabf14fd1dbd6be0ba462abc

SHA1
56cdd0a636f8ee8e09d4e0b3133f3981cacb6b2c

SHA256
7ab327639b7aa5340d2941710e2e5a00f21b360c9f250517757c424be5182c9f

SHA512
4574f937c76781d86ea6fc249afda8ec1830169ede8d4452a5b41378a0f0508448b51a02ebd75034419403c0f328cb0df98260a1340bf191acc5b458c11aabcc

Download Submit
C:\Users\Admin\Downloads\iwsQ.exe
Filesize
205KB

MD5
e11a6522330ef8e815a0e0334e11bd9d

SHA1
978cbc0097d4b362f34d180343d322615d12eca2

SHA256
48c24e4d43efba9d266ed9c3b35015916eb654b9c0889f64397454070bffc53b

SHA512
6bfbc80f85f839a5b0594c8122e4fedd8ba64a0c9e9b0b82ec6f81124bd558c4dfd83f2939d34142ddf74739e2e0d9af1792bdf6f5615ac40e28821038e666ee

Download Submit
C:\Users\Admin\Downloads\jUgA.exe
Filesize
186KB

MD5
2f775ec102c9dfb8b902ccf51dd2820c

SHA1
ff27166f857cb14599d0c6ded94689a60902e5d3

SHA256
b2e8b7b9832ac862088928d656ce52ce92374fe6e93b9d9c54bc0e4fa7091615

SHA512
518b06ff20d64bc7b019be3253b482430076f1e1dc9ce2ee893da1608588391589b31f0855b2e1e5b48e543c4376e38bc013991dda702ad67f951826fd4a213a

Download Submit
C:\Users\Admin\Downloads\lMgG.exe
Filesize
199KB

MD5
c2676f4be889a091203ba2c959b64c40

SHA1
5b119f71ee3c353996710d252b24239293d82f13

SHA256
b5592f05e6078ea0bb132ae1f7796f15742691ed27647c2c379c187093cc47c2

SHA512
efc6254ba0c05fb9e26c129304366bac6873a00b3ead221bd376a42a04dc14396b027dc9b6f05ef199eb629db917db6c67f16bc914adf35464c4f0e6fd61190d

Download Submit
C:\Users\Admin\Downloads\lYcu.exe
Filesize
197KB

MD5
118aac4e4e3116e33ee05487f64831fd

SHA1
4c74f8f90376b4bc53204010cace7b57db2f8859

SHA256
cde6bba35f0664a025798a48d167aa59e451666972d57a9666bdf54f0b159dd4

SHA512
5097cebb17e8f9b27f1a555864dafd2b1960f5408797f6bca30933e9b8875242eb339a5367a8094ba31abedc9cf08ce82a9610f9b76c263cd900ef032bea0b1e

Download Submit
C:\Users\Admin\Downloads\mAUO.exe
Filesize
201KB

MD5
8f6e9d3a3ae2382253b273c9d3ca3d26

SHA1
848a87e461bf542b9794e9b5008b320a11241159

SHA256
9f7e04bfc35973cd29690d02575429a246078ce609ba61a8167d2f4fe419f964

SHA512
0a6ecb29c1b7615324e28b11ecda386fddcb9e4ad38265c9f44574b41e62c6b44680422e4d99974666e7d89cc5ebc4072fe3630d4110f83c146f6f0feaece5d5

Download Submit
C:\Users\Admin\Downloads\mIQu.exe
Filesize
310KB

MD5
38ab11a7f6a708c4c65a33f206aaeda7

SHA1
9e362148e6c87ec868b6b9e3159092fe3788d1ec

SHA256
a5b57877db34b2c7367e6706ecd4ec3276ae916e1ac15b7c56fb70f927be3701

SHA512
ac5d0b9452129fb772b127983280ab1ee6e75d73154de1451ec6c7435b1cf2cfcdf7296acf1ca4aba9029c42c6b0eb9ee53089938a4010b1e773c49cf283385a

Download Submit
C:\Users\Admin\Downloads\mQYo.exe
Filesize
224KB

MD5
483e9c4a9f2cb68e9cfb1340723837b2

SHA1
1254cdbda798870eecd28b4285571d6697cafca8

SHA256
0de9735e754018fd80f26a17f5e73dbc32b315ed725a3e3741889492dd0b74c8

SHA512
84d4eab131cfc313344e6a18a2fbc2f6c9d66017f31ef350b8e7629430e3862fbdb14b4b0816e625a5cb9caf43a72069a39cf3e9d0a5b8a47bea458656cfbde4

Download Submit
C:\Users\Admin\Downloads\mkYQ.exe
Filesize
791KB

MD5
324ca52b1df569ad9e87d85207d6e7a2

SHA1
e18f64b7fe5181551e1284750caa9b9e74ca0be4

SHA256
849a39df70354d978b566b7d7b99f276e3c99b1a3b0fcd5df2c0b07371872d52

SHA512
44685dce7e3f1baa88bc8f19a105e06c7ee2cf5b437db94565b46ec383aeb099ba6cc1ee0748959312cc714756acd9e48f69ac22a8dedbd616c0e389af1f12a2

Download Submit
C:\Users\Admin\Downloads\oAIW.exe
Filesize
1.2MB

MD5
ad603691b8dea216ad480496f4e273e8

SHA1
3a93ae7f98922ac2ab8352111feb20dec3387f06

SHA256
ac1b150e1ede112a11356a32f0ca6e27582e193f4855bac86e91b9af25f62d0a

SHA512
31f75ffd45f04d7bee7cc1eaf412bd5e2dabb27d64ecfaefd6cf3bd7a49459a9f13eab1b8c1984be116c84d1482fa8a4fd681061563230738e3ec2ccc9b5968d

Download Submit
C:\Users\Admin\Downloads\psYs.exe
Filesize
237KB

MD5
d6683cce55a001c9bcc50fdb9370b1ef

SHA1
c929d25b4b4215347be7c4d1ec80cf0542fa37cf

SHA256
b73d29f2aa119b297c6a51a82fba6dd9a396a34a7b475fb344ed224671b0478c

SHA512
90c96fef45a30bfade410e6ab6979738cdbf46b2c16a306fab84065749fd49d21872815696a9c159320c349b190510aea7d46bb5c1dc26b06493accbdb677539

Download Submit
C:\Users\Admin\Downloads\pwIW.exe
Filesize
214KB

MD5
38bf344f4320e34e100c711f8c5f000e

SHA1
eed94f95ddceef803b97b4e063811d7d0d0b6dcb

SHA256
519e8c4ebea67321f8fd4416af6996a105cc1956752336f6a167ffda96b0d693

SHA512
c8e9599194a11b9829b9283ee4d1784b3abbdcb1c37d0346cccdf30dc2fdaedef73831e9ca2536fe9b72dab633aa9f0fc08ee3434726958a5c87967fec375dba

Download Submit
C:\Users\Admin\Downloads\qEMa.exe
Filesize
192KB

MD5
e2ac138bf191cc04b3db074a27b9d902

SHA1
772629d47efc0f01fbd0f77a6b3a7e6596def257

SHA256
7372bb3a691f8b6b3db78168f0b99c15434042c0c6139d1c6a86f64cf568042d

SHA512
160cce66b35061564697be0713c82538142a0fcfc994bf609e516294824c3f18253083ca3760a0f6746a8bf7a1c997ca4364e0969081775df29d0b736587e7cf

Download Submit
C:\Users\Admin\Downloads\rAsG.exe
Filesize
195KB

MD5
286d3248f4ebfd4835af29a39c027c64

SHA1
876054bbc0fe02f8ed809c138953a2e2df98e4b7

SHA256
af746d1ca62863dc9843fa8bc8e60403675003d9960bcd40e0c37e4099e0fbe4

SHA512
65a84aa676aa1748f8cf22afe10c3616f070c43bc131063b428702dc6389e757bd2fcb3391114511211006e8d4a8abc96f3ec429af62b7d6a5c10f3df89bc414

Download Submit
C:\Users\Admin\Downloads\rUsQ.exe
Filesize
435KB

MD5
e5fcdb4aa8fd9e764d7206d3578bed94

SHA1
c44e48b94898cc4ee82707a98884065b50635b8b

SHA256
65e0af3755015dfe6b31e02f8e13a9e34b75eab77fde484daf5ecc168402c0e4

SHA512
2841772520909e56e0da89d9f3bfd48b2467f217c6827329e4dde6a0d1ac2ffb42646da174062e3a08902ee3abd0be16488d1aeac389b07ff41182d6cd7d35fd

Download Submit
C:\Users\Admin\Downloads\sEEE.exe
Filesize
323KB

MD5
36d089ea4029e19193f80c7a177b60a6

SHA1
844c448fdd452e74c0f5297caf7fa94012e1ee92

SHA256
cf00835cb864bd8eed26b3f186bc7760354bec085b3ebee0585ca384ed962e6d

SHA512
5a3022aaf6ce559e128765bde8d9c86874b1c87eef189ed3e6bab0df950e80c613d81de0b9128ea574064370cc1375289b78828428a435558385fbfd185e1af9

Download Submit
C:\Users\Admin\Downloads\uIIi.exe
Filesize
5.8MB

MD5
81a1bc4bccafb98441aa3d78dbec6671

SHA1
4d5e02503b6ae6db9f648ba0a5df15da1a23b910

SHA256
97f50bf8c9c959b6ea8e2a02decfa3cf67f35334a9840ecb095d8b413b9268de

SHA512
1567f496c381c234f45a98752892c1bd125bbd3854d917ec313d7f8ec1eed9409ed2932d18a789c7627826a36a00e7ea5ae5795a571fb623ae4a54d9e130aec6

Download Submit
C:\Users\Admin\Downloads\uMUg.exe
Filesize
206KB

MD5
2165644baa8cce210c0cc1bec4e95581

SHA1
054452d106c7e6ec187ff408803ca768444e3f56

SHA256
b9459d79977c77fd84eefa334ab6d330b48dfaeed901c39331d16981720b469b

SHA512
b522118e49072d9fa1a535e4453c13c7f0d3fe047033bf1e26099f150896f8ce7ef4c44963c52c7fff4ae5ec5b0d7528b4f298a5e0f1501ebd783e02bbf4511a

Download Submit
C:\Users\Admin\Downloads\ukIc.exe
Filesize
651KB

MD5
53bec5c04fb1c19a8db1136391d2dd2e

SHA1
9cf78bb887d12768642a957bbf9841e16cc577d2

SHA256
819b7e13a7681c1436b589d5705736032c934cadaddf5fdc67056d79e1036943

SHA512
c9880e0fee0393ddef057e030b90a0331906c05543eb0359e0fdeae577374060848f24ba24f6385ca53d57c57ff40fa4426ed2923ed230fe308fcf98d63c2df4

Download Submit
C:\Users\Admin\Downloads\vQco.exe
Filesize
196KB

MD5
54c671ffc7b3caf4991e9e6af8049900

SHA1
a44fb059b5a899f1ccef9d19379f7b6c99ca7429

SHA256
d7d72c453b0427c70dbf3c6a8d8c14adeab5458c970710562f93dd7353da975b

SHA512
480dcc96efa85f93effaeb95a57646e82e337c0226863ed6d336e40dd717c8d035feaed252c3401fe8e8e9f7dd6a4a7b07915d5de48d09933ff276d1d1a6c532

Download Submit
C:\Users\Admin\Downloads\vUEc.exe
Filesize
188KB

MD5
d9f8f319467e2fb85089e04de2ef0b2c

SHA1
54f8a1ddac48d0186a3a9cce528988981b51fb5a

SHA256
e46869f48d55b44ba18c8d22326e73a2d8f743dcd6c62a944fd5a067877817f6

SHA512
4845d7857815ae17d108c3b6cd25a7a52f8ac2b0e79e4f7039106d1b7f2daeb5d2c542d6bfa0757072f93329e0767f6ed34ce05ecf9b9660457016e818c95af8

Download Submit
C:\Users\Admin\Downloads\vYYC.exe
Filesize
197KB

MD5
e236441b6450434499bf396564f4e3d4

SHA1
751e9f37b922ba85a622c3a37eeedc2b73531138

SHA256
c33bcc584062eb14065641453e8ba6c358491805d08cc604f9e5d95939f6c15a

SHA512
c0aac3351e50f5c96b5b3fba2e672eb3d0be426290c3e2319d19691d3acc997013ea441576ec26e3a5697c2d910ff673a162a0772bc29af45bea62c8d496a0c4

Download Submit
C:\Users\Admin\Downloads\wgcu.exe
Filesize
769KB

MD5
0a0717edd874c12dd63a1d3b52a78f14

SHA1
62b2c554357c46a53933e34a182e02a144bb1cb1

SHA256
5bcb1a01e7c5d7efca8b2e26b7b8626e138d77650c0bbc43b6ce207520ca6e7f

SHA512
9fd95667f4052722859c6ca8b7678bf841e823f215bbb4cad13fb9eff3d94238813d7738314d54e408c4d012c7383474ab6fbae2900401bfb0f7bc5cf9307d48

Download Submit
C:\Users\Admin\Downloads\wsEG.ico
Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\wwQA.exe
Filesize
189KB

MD5
ff05b2dc2e56cff56ca3680c9f391c36

SHA1
fd943cb5695c967b9a1679a16b29e03b278e15b7

SHA256
385832663bea1c829742d690788cd796764813ee56788872ce3dcef01fe92db3

SHA512
73c6fee30902ef7c5aec3881cad3a8f2723d6e84aae1de2c33983ff50dc6b59a2836dedca54b4d5e46a7d3c4647e661e12b66aec638c7682424d5a43ada1b9bf

Download Submit
C:\Users\Admin\Downloads\xAwS.exe
Filesize
185KB

MD5
f3081dc29c6d6a565d9e3c4b4be2cfa2

SHA1
3d210349e7e46391ae695829e17cc439c2a57858

SHA256
9bea96b20bcc14beaafcf6667b0e3e33f78ae7efaf9f8f8514fcca2893f41666

SHA512
678c54f2b347699b7103cfafbb555c779b79ac6ab0d10933d0c5de3a44b13d7ff88194b929964a05c6b83ccefa472c5e255cdcb2b0983a5e1fbe2aa1a3d6f67a

Download Submit
C:\Users\Admin\Downloads\xcwU.exe
Filesize
1.0MB

MD5
0858350422a4fbf5e234d5d8c7dc1c7a

SHA1
544cda1ad8dd7d440102c153b97d6cbe364e7601

SHA256
a29b96262a317e11a496abaf9faab3835f2014b3744a40f4a8aeb3a06f727983

SHA512
295f0e55860eda9e908df47cac0e1d8340aad53fac65dae5abc8ca075be9d7386d13dda94dbcf64fc11c70418439f4d0dc93954daa275b3f9cfd7f503fc2ceba

Download Submit
C:\Users\Admin\Downloads\yQEK.exe
Filesize
521KB

MD5
1686df5e2c632a3e370ccf99efb850bb

SHA1
02eddd094495c656125167a7687cd80376b149e9

SHA256
29e495903d3930e41bea599e9b6d96105cce4a8c5b0aca8f452f080305efae62

SHA512
21e84530c64f5ddc657e947a7f418b70467e4899ca808a453c9aa4740e36573231c99b820a6637088f29a38388079e26c7c4a01cde702aaedf5b8c6ed552a8f4

Download Submit
C:\Users\Admin\Downloads\yUMA.exe
Filesize
192KB

MD5
7832aa99673abe422e1cd4d09f7adff2

SHA1
420c9c742f55c14452843b21f16518513b29108c

SHA256
8636a26c1e9dd2ea6aa95ff951f27bc11cd5b3b26f440f68c44b1ca650f1eb4c

SHA512
5dde318a840821343b4d633be97eb71315d4ac7e9a5e0e4ab352ccf6943e4cd951d24c2c96e00a2010b29ed7f33de090bac17e0470f0614e1ae5435bf5c7cd23

Download Submit
C:\Users\Admin\Downloads\zkEY.exe
Filesize
197KB

MD5
483207ca8ee385a78b4afd967b47de69

SHA1
3e7bdebd40191e442e1edecc1f2a56a6c828f217

SHA256
45b4ffda547a4c934ef18f56e8f6461252cfa159fe139e2328a3fe838a8a9cda

SHA512
673f6cbd1799d290498f2d5610d69265f11dff6fdc745539a83f649ef81db4b9840ba8b1cb7b1b9aa3f197742dee6431bd35d967281771e321969612930cfa8a

Download Submit
C:\Users\Admin\eOUgIowo\pGkMEUYU.exe
Filesize
197KB

MD5
3f47a8026f7978032ae08e2bbb717c10

SHA1
7a4b3e5257cc1d24137cebe9553600ee893f7508

SHA256
5d635c97d96f00dc9a7a8c3507414069401e94c1226dc12f1df19b118da42be9

SHA512
664319428aeb3420a3c3170c472d1270ee8724bf394051c5fdc5c7ae47f3d69980abdfd93fb67e1b9442afa898e7461d5ae7125353e8be90c3ae88aa712e69d1

Download Submit
\??\pipe\LOCAL\crashpad_1684_TNZFRKLYTTWCVEJO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/696-426-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/696-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/788-705-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/788-694-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/844-745-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1092-709-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1092-728-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-610-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-621-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1728-630-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1728-641-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1796-649-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1816-601-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1816-589-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2208-491-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2208-505-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2212-511-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2212-525-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-732-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-716-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2236-390-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2236-411-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2288-350-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-336-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-379-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-1700-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-992-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-311-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-606-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-314-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-312-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-310-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-313-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-2798-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-340-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2288-309-0x0000000002310000-0x00000000023DE000-memory.dmp

Filesize
824KB

Download
memory/2288-351-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2412-612-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2412-597-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2492-665-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2596-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2596-408-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3228-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3228-452-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3416-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-522-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3544-534-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3544-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3544-456-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3556-724-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3556-739-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3944-669-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3944-504-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3944-516-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3944-685-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4092-574-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4092-592-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4368-657-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4388-713-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4388-696-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4436-405-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4552-631-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4552-622-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4572-554-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4572-562-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4668-553-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4668-543-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4832-494-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4832-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4936-563-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4936-542-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4936-531-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4936-573-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4980-687-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4980-695-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5044-481-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download